CVE-2018-25131

🗓️ 24 Dec 2025 19:27:44Reported by VulnCheckType

cve🔗 web.nvd.nist.gov👁 9 Views🌐 WEB

Stored cross-site scripting in Leica Geosystems GNSS config upload enables malicious HTML to run JavaScript.

Reporter	Title	Published	Views	Family All 7
CNNVD	Leica Geosystems GNSS 安全漏洞	24 Dec 202500:00	–	cnnvd
Cvelist	CVE-2018-25131 Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Stored XSS via Config Upload	24 Dec 202519:27	–	cvelist
EUVD	EUVD-2025-205350	24 Dec 202521:30	–	euvd
NVD	CVE-2018-25131	24 Dec 202520:15	–	nvd
Positive Technologies	PT-2025-53352	24 Dec 202500:00	–	ptsecurity
Vulnrichment	CVE-2018-25131 Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Stored XSS via Config Upload	24 Dec 202519:27	–	vulnrichment
Zero Science Lab	Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection	5 Jan 201900:00	–	zeroscience

Vulners

Node

leica_geosystems_ag gr10/gr25/gr30/gr50_gnssMatch4.30.063

leica_geosystems_ag gr10/gr25/gr30/gr50_gnssMatch4.20.232

leica_geosystems_ag gr10/gr25/gr30/gr50_gnssMatch4.11.606

leica_geosystems_ag gr10/gr25/gr30/gr50_gnssMatch3.22.1818

leica_geosystems_ag gr10/gr25/gr30/gr50_gnssMatch3.10.1633

leica_geosystems_ag gr10/gr25/gr30/gr50_gnssMatch2.62.782

leica_geosystems_ag gr10/gr25/gr30/gr50_gnssMatch1.00.395

[
  {
    "vendor": "Leica Geosystems AG",
    "product": "GR10/GR25/GR30/GR50 GNSS",
    "versions": [
      {
        "version": "4.30.063",
        "status": "affected"
      },
      {
        "version": "4.20.232",
        "status": "affected"
      },
      {
        "version": "4.11.606",
        "status": "affected"
      },
      {
        "version": "3.22.1818",
        "status": "affected"
      },
      {
        "version": "3.10.1633",
        "status": "affected"
      },
      {
        "version": "2.62.782",
        "status": "affected"
      },
      {
        "version": "1.00.395",
        "status": "affected"
      }
    ]
  }
]

Source	Link
zeroscience	www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5503.php
leica-geosystems	www.leica-geosystems.com/
exploit-db	www.exploit-db.com/exploits/46091

Parameter	Position	Path	Description	CWE
file	request body	upload_config/	Stored XSS via unrestricted file upload storing an HTML/JS payload in /settings/poc.html	CWE-79

17 Jun 2026 01:54Current

5.7Medium risk

Vulners AI Score5.7

CVSS 45.1

CVSS 3.17.2

EPSS0.00238

SSVC

CWE-79