Logo Cloud CVE-2025-0607
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Encoding or Escaping of Output vulnerability in Logo Software Inc. Logo Cloud allows Phishing.
This issue affects Logo Cloud: before 2.57.
AnalysisAI
Improper output encoding in Logo Cloud before version 2.57 enables phishing attacks by allowing injected or unescaped content to be rendered in the application context. The CVSS vector (PR:H/UI:R) narrows the realistic threat to authenticated high-privilege users who can introduce malicious output that is then presented to other users without proper sanitization. No active exploitation is confirmed - no CISA KEV listing and an EPSS score of 0.03% (10th percentile) both signal this is low-priority in the broader threat landscape.
Technical ContextAI
CWE-116 (Improper Encoding or Escaping of Output) describes a root cause where software constructs output for a downstream context - HTML, URL, command interpreter - without applying the encoding rules required by that context. In Logo Cloud, a cloud-based business software platform developed by Logo Software Inc. (Turkey), this manifests as application output that is rendered without sufficient HTML or URL encoding, permitting content injection. The phishing tag indicates the practical exploitation surface: an attacker can embed redirect links or spoofed UI elements that a victim user perceives as legitimate application content. The NVD advisory from USOM (TR-25-0318) does not specify a CPE string, so the affected component within Logo Cloud (web portal, API, email notification, or reporting module) cannot be confirmed from available data alone.
Affected ProductsAI
Logo Cloud, developed by Logo Software Inc., in all versions prior to 2.57 is confirmed affected per the NVD entry and the Turkish USOM advisory TR-25-0318 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0318). No CPE string was provided in the source data, so the exact platform architecture (SaaS, on-premise, hybrid) cannot be confirmed. Version 2.57 is the stated remediation baseline.
RemediationAI
Upgrade Logo Cloud to version 2.57 or later, which is the vendor-confirmed fix version per the USOM advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0318 and https://www.usom.gov.tr/bildirim/tr-25-0318). If immediate upgrade is not feasible, restrict high-privilege account access to trusted personnel only, enforce multi-factor authentication on all high-privilege Logo Cloud accounts to reduce the risk of account compromise that could enable exploitation, and audit any user-controllable output fields for content injection. Because UI:R is required, user awareness training to scrutinize links and embedded content within Logo Cloud is a meaningful compensating control. Note that none of these mitigations address the root encoding defect and should be treated as temporary.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today