Skip to main content

Logo Cloud CVE-2025-0607

MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2025-10-06 iletisim@usom.gov.tr
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 06, 2026 - 08:36 vuln.today

DescriptionCVE.org

Improper Encoding or Escaping of Output vulnerability in Logo Software Inc. Logo Cloud allows Phishing.

This issue affects Logo Cloud: before 2.57.

AnalysisAI

Improper output encoding in Logo Cloud before version 2.57 enables phishing attacks by allowing injected or unescaped content to be rendered in the application context. The CVSS vector (PR:H/UI:R) narrows the realistic threat to authenticated high-privilege users who can introduce malicious output that is then presented to other users without proper sanitization. No active exploitation is confirmed - no CISA KEV listing and an EPSS score of 0.03% (10th percentile) both signal this is low-priority in the broader threat landscape.

Technical ContextAI

CWE-116 (Improper Encoding or Escaping of Output) describes a root cause where software constructs output for a downstream context - HTML, URL, command interpreter - without applying the encoding rules required by that context. In Logo Cloud, a cloud-based business software platform developed by Logo Software Inc. (Turkey), this manifests as application output that is rendered without sufficient HTML or URL encoding, permitting content injection. The phishing tag indicates the practical exploitation surface: an attacker can embed redirect links or spoofed UI elements that a victim user perceives as legitimate application content. The NVD advisory from USOM (TR-25-0318) does not specify a CPE string, so the affected component within Logo Cloud (web portal, API, email notification, or reporting module) cannot be confirmed from available data alone.

Affected ProductsAI

Logo Cloud, developed by Logo Software Inc., in all versions prior to 2.57 is confirmed affected per the NVD entry and the Turkish USOM advisory TR-25-0318 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0318). No CPE string was provided in the source data, so the exact platform architecture (SaaS, on-premise, hybrid) cannot be confirmed. Version 2.57 is the stated remediation baseline.

RemediationAI

Upgrade Logo Cloud to version 2.57 or later, which is the vendor-confirmed fix version per the USOM advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0318 and https://www.usom.gov.tr/bildirim/tr-25-0318). If immediate upgrade is not feasible, restrict high-privilege account access to trusted personnel only, enforce multi-factor authentication on all high-privilege Logo Cloud accounts to reduce the risk of account compromise that could enable exploitation, and audit any user-controllable output fields for content injection. Because UI:R is required, user awareness training to scrutinize links and embedded content within Logo Cloud is a meaningful compensating control. Note that none of these mitigations address the root encoding defect and should be treated as temporary.

Share

CVE-2025-0607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy