Stored XSS Vulnerability in WinPlus by Informática del Este
CVE-2025-41350

5.1MEDIUM

Key Information:

Vendor: Informática Del Este
Status: Winplus
Vendor: CVE Published:; 18 November 2025

🔔 Create Informática Del Este Vulnerability Alert

What is CVE-2025-41350?

A stored cross-site scripting vulnerability exists in WinPlus v24.11.27 developed by Informática del Este. This flaw arises from inadequate validation of user input, specifically when sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. An attacker could exploit this vulnerability to craft a malicious query targeted at an authenticated user, potentially allowing the attacker to gain unauthorized access to the user's session details through cookie theft.

Affected Version(s)

WinPlus 24.11.27

References

https://www.incibe.es/en/incibe-cert/notices/aviso/stored...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Antonio Moreno Gómez

JSON