Search criteria
10 vulnerabilities found for WinPlus by Informatica del Este
CVE-2025-41350 (GCVE-0-2025-41350)
Vulnerability from cvelistv5 – Published: 2025-11-18 11:27 – Updated: 2026-02-18 12:17
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T19:19:46.858798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T19:26:49.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInform\u00e1tica del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the \u0027descripcion\u0027 parameter in \u0027/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post\u0027. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"value": "Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInform\u00e1tica del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the \u0027descripcion\u0027 parameter in \u0027/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post\u0027. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:17:39.735Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDaniel Cano Merch\u00e1n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\n\nDaniel Cano Merch\u00e1n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41350",
"datePublished": "2025-11-18T11:27:42.348Z",
"dateReserved": "2025-04-16T09:57:03.671Z",
"dateUpdated": "2026-02-18T12:17:39.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41349 (GCVE-0-2025-41349)
Vulnerability from cvelistv5 – Published: 2025-11-18 11:26 – Updated: 2026-02-18 12:17
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:31:13.201397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:32:21.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInform\u00e1tica del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the \u0027descripcion\u0027 parameter in \u0027/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post\u0027. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"value": "Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInform\u00e1tica del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the \u0027descripcion\u0027 parameter in \u0027/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post\u0027. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:17:10.086Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41349",
"datePublished": "2025-11-18T11:26:23.985Z",
"dateReserved": "2025-04-16T09:57:03.670Z",
"dateUpdated": "2026-02-18T12:17:10.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41348 (GCVE-0-2025-41348)
Vulnerability from cvelistv5 – Published: 2025-11-18 11:24 – Updated: 2026-02-18 12:16
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:33:02.161597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:35:01.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in WinPlus v24.11.27 by Inform\u00e1tica del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters \u0027val1\u0027 and \u0027cont in \u0027/WinplusPortal/ws/sWinplus.svc/json/getacumper_post\u0027."
}
],
"value": "SQL injection vulnerability in WinPlus v24.11.27 by Inform\u00e1tica del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters \u0027val1\u0027 and \u0027cont in \u0027/WinplusPortal/ws/sWinplus.svc/json/getacumper_post\u0027."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:16:33.695Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41348",
"datePublished": "2025-11-18T11:24:06.672Z",
"dateReserved": "2025-04-16T09:57:03.670Z",
"dateUpdated": "2026-02-18T12:16:33.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41347 (GCVE-0-2025-41347)
Vulnerability from cvelistv5 – Published: 2025-11-18 11:06 – Updated: 2026-02-18 12:16
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:35:19.716102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:39:39.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Inform\u00e1tica del Este. This vulnerability allows an attacker to upload a \u0027webshell\u0027 by sending a POST request to \u0027/WinplusPortal/ws/sWinplus.svc/json/uploadfile\u0027."
}
],
"value": "Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Inform\u00e1tica del Este. This vulnerability allows an attacker to upload a \u0027webshell\u0027 by sending a POST request to \u0027/WinplusPortal/ws/sWinplus.svc/json/uploadfile\u0027."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:16:04.094Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41347",
"datePublished": "2025-11-18T11:06:39.222Z",
"dateReserved": "2025-04-16T09:57:03.670Z",
"dateUpdated": "2026-02-18T12:16:04.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41346 (GCVE-0-2025-41346)
Vulnerability from cvelistv5 – Published: 2025-11-18 10:04 – Updated: 2026-02-18 12:15
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T21:12:19.231182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T21:12:26.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Faulty authorization control in software WinPlus v24.11.27 by Inform\u00e1tica del Este that allows another user to be impersonated simply by knowing their \u0027numerical ID\u0027, meaning that an attacker could compromise another user\u0027s account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application."
}
],
"value": "Faulty authorization control in software WinPlus v24.11.27 by Inform\u00e1tica del Este that allows another user to be impersonated simply by knowing their \u0027numerical ID\u0027, meaning that an attacker could compromise another user\u0027s account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:15:27.836Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41346",
"datePublished": "2025-11-18T10:04:11.741Z",
"dateReserved": "2025-04-16T09:57:03.670Z",
"dateUpdated": "2026-02-18T12:15:27.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41350 (GCVE-0-2025-41350)
Vulnerability from nvd – Published: 2025-11-18 11:27 – Updated: 2026-02-18 12:17
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T19:19:46.858798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T19:26:49.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInform\u00e1tica del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the \u0027descripcion\u0027 parameter in \u0027/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post\u0027. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"value": "Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInform\u00e1tica del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the \u0027descripcion\u0027 parameter in \u0027/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post\u0027. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:17:39.735Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDaniel Cano Merch\u00e1n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\n\nDaniel Cano Merch\u00e1n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41350",
"datePublished": "2025-11-18T11:27:42.348Z",
"dateReserved": "2025-04-16T09:57:03.671Z",
"dateUpdated": "2026-02-18T12:17:39.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41349 (GCVE-0-2025-41349)
Vulnerability from nvd – Published: 2025-11-18 11:26 – Updated: 2026-02-18 12:17
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:31:13.201397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:32:21.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInform\u00e1tica del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the \u0027descripcion\u0027 parameter in \u0027/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post\u0027. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"value": "Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInform\u00e1tica del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the \u0027descripcion\u0027 parameter in \u0027/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post\u0027. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:17:10.086Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41349",
"datePublished": "2025-11-18T11:26:23.985Z",
"dateReserved": "2025-04-16T09:57:03.670Z",
"dateUpdated": "2026-02-18T12:17:10.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41348 (GCVE-0-2025-41348)
Vulnerability from nvd – Published: 2025-11-18 11:24 – Updated: 2026-02-18 12:16
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:33:02.161597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:35:01.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in WinPlus v24.11.27 by Inform\u00e1tica del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters \u0027val1\u0027 and \u0027cont in \u0027/WinplusPortal/ws/sWinplus.svc/json/getacumper_post\u0027."
}
],
"value": "SQL injection vulnerability in WinPlus v24.11.27 by Inform\u00e1tica del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters \u0027val1\u0027 and \u0027cont in \u0027/WinplusPortal/ws/sWinplus.svc/json/getacumper_post\u0027."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:16:33.695Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41348",
"datePublished": "2025-11-18T11:24:06.672Z",
"dateReserved": "2025-04-16T09:57:03.670Z",
"dateUpdated": "2026-02-18T12:16:33.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41347 (GCVE-0-2025-41347)
Vulnerability from nvd – Published: 2025-11-18 11:06 – Updated: 2026-02-18 12:16
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:35:19.716102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:39:39.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Inform\u00e1tica del Este. This vulnerability allows an attacker to upload a \u0027webshell\u0027 by sending a POST request to \u0027/WinplusPortal/ws/sWinplus.svc/json/uploadfile\u0027."
}
],
"value": "Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Inform\u00e1tica del Este. This vulnerability allows an attacker to upload a \u0027webshell\u0027 by sending a POST request to \u0027/WinplusPortal/ws/sWinplus.svc/json/uploadfile\u0027."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:16:04.094Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41347",
"datePublished": "2025-11-18T11:06:39.222Z",
"dateReserved": "2025-04-16T09:57:03.670Z",
"dateUpdated": "2026-02-18T12:16:04.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41346 (GCVE-0-2025-41346)
Vulnerability from nvd – Published: 2025-11-18 10:04 – Updated: 2026-02-18 12:15
VLAI?
Title
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
Summary
Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Informatica del Este | WinPlus |
Affected:
24.11.27
|
Credits
Daniel Cano Merchán
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T21:12:19.231182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T21:12:26.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WinPlus",
"vendor": "Informatica del Este",
"versions": [
{
"status": "affected",
"version": "24.11.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:informatica_del_este:winplus:24.11.27:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Cano Merch\u00e1n"
}
],
"datePublic": "2025-11-18T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Faulty authorization control in software WinPlus v24.11.27 by Inform\u00e1tica del Este that allows another user to be impersonated simply by knowing their \u0027numerical ID\u0027, meaning that an attacker could compromise another user\u0027s account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application."
}
],
"value": "Faulty authorization control in software WinPlus v24.11.27 by Inform\u00e1tica del Este that allows another user to be impersonated simply by knowing their \u0027numerical ID\u0027, meaning that an attacker could compromise another user\u0027s account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:15:27.836Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025.\u003cbr\u003e"
}
],
"value": "The reported vulnerabilities have been fixed in version 25.10.16 and later of WinPLUS Cloud, released on 10/22/2025."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in WinPlus by Inform\u00e1tica del Este",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41346",
"datePublished": "2025-11-18T10:04:11.741Z",
"dateReserved": "2025-04-16T09:57:03.670Z",
"dateUpdated": "2026-02-18T12:15:27.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}