Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Posted date 10/11/2025
Identificador
INCIBE-2025-0640
Importance
5 - Critical
Affected Resources
WinPlus version 24.11.27.
Description
INCIBE has coordinated the publication of 1 critial-severity vulnerability, 2 high-severity vulnerabilities and 2 medium-severity vulnerabilities affecting to WinPlus by Informática del Este, a platform for human resources management, time tracking, access control, and related functionality. The vulnerability was discovered by Antonio Moreno Gómez.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-41346 CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-863
- CVE-2025-41347: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-434
- CVE-2025-41348: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-41349 y CVE-2025-41350: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
There is no solution reported at this time.
Detail
- CVE-2025-41346: faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application.
- CVE-2025-41347: Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'.
- CVE-2025-41348: SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'.
- CVE-2025-41349 y CVE-2025-41350: Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post' and '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
CVE
Explotación
No
Nuevo Fabricante
Informática del Este
Identificador CVE
CVE-2025-41346
Severidad
Crítica
Explotación
No
Nuevo Fabricante
Informática del Este
Identificador CVE
CVE-2025-41347
Severidad
Alta
Explotación
No
Nuevo Fabricante
Informática del Este
Identificador CVE
CVE-2025-41348
Severidad
Alta
Explotación
No
Nuevo Fabricante
Informática del Este
Identificador CVE
CVE-2025-41349
Severidad
Media
Explotación
No
Nuevo Fabricante
Informática del Este
Identificador CVE
CVE-2025-41350
Severidad
Media
References list
Etiquetas
