Description
ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.
Published: 2026-05-29
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ITS Intelligent SCADA System is affected by a stored cross‑site scripting (XSS) flaw. An attacker with privileged remote access can inject persistent JavaScript that is executed in any user’s browser when the page loads. Because the payload is stored, each subsequent visit to the page triggers the malicious script, allowing the attacker to steal session data, tamper with UI, or perform other client‑side attacks.

Affected Systems

The vulnerability impacts ITP Technology’s ITS Intelligent SCADA System. No specific version range is supplied by the vendor, so any deployed instance of the product should be examined for the presence of the flaw.

Risk and Exploitability

The CVSS score of 4.8 indicates a medium severity vulnerability. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog. The attacker must be able to run code with privileged access to the SCADA system before the XSS can be leveraged, suggesting a local or authenticated remote attack vector. If the attacker achieves this, the stored script could be executed in the context of any user that views the affected page.

Generated by OpenCVE AI on May 29, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the vendor‑issued patch or updated release for the ITS Intelligent SCADA System that removes the ability to store unescaped script content.
  • If a patch is not available, implement input validation that removes or escapes HTML tags and JavaScript before storing user‑supplied data.
  • Deploy a web application firewall rule that blocks requests containing script tags or JavaScript event handlers targeted at the SCADA interface.

Generated by OpenCVE AI on May 29, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Itp Technology
Itp Technology its Intelligent Scada System
Vendors & Products Itp Technology
Itp Technology its Intelligent Scada System

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.
Title ITP Technology|ITS Intelligent SCADA System - Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Itp Technology Its Intelligent Scada System
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-05-29T11:02:06.658Z

Reserved: 2026-05-29T08:03:11.273Z

Link: CVE-2026-10058

cve-icon Vulnrichment

Updated: 2026-05-29T11:02:00.443Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T09:16:17.460

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-10058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:16Z

Weaknesses