City Guide CVE-2025-10612
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in giSoft Information Technologies City Guide allows Reflected XSS.
This issue affects City Guide: before 1.4.45.
AnalysisAI
Reflected XSS in City Guide (giSoft Information Technologies) before version 1.4.45 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The CVSS Changed Scope (S:C) indicates the injected script can affect resources outside the vulnerable application's security domain - such as the user's broader browser session - enabling session theft, credential harvesting, or UI redirection. No public exploit identified at time of analysis, and an EPSS score of 0.03% at the 7th percentile reflects very low observed exploitation probability.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) is a classic Reflected XSS root cause, where attacker-controlled input is embedded into an HTTP response without adequate sanitization or output encoding. The vulnerability resides in City Guide, a web-based city information application developed by Turkish vendor giSoft Information Technologies. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C confirms the flaw is network-reachable, requires no authentication or complex conditions on the attacker's side, demands a single victim interaction (clicking a link), and has Changed Scope - meaning the injected script can cross component boundaries within the browser context. No CPE strings were provided in the source data, so affected platform specifics beyond the version range are not available.
Affected ProductsAI
City Guide by giSoft Information Technologies is affected in all versions prior to 1.4.45. The fix version 1.4.45 is confirmed by vendor advisory TR-25-0350, published by Turkey's national CERT (USOM/SOME) at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0350 and https://www.usom.gov.tr/bildirim/tr-25-0350. No CPE strings were provided, so additional platform or deployment-type constraints cannot be confirmed from available data.
RemediationAI
Upgrade City Guide to version 1.4.45 or later - this is the vendor-confirmed patched release per advisory TR-25-0350. Full advisory details are available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0350. If immediate patching is not feasible, a compensating control is to deploy a Web Application Firewall (WAF) rule to block requests containing common XSS payloads (e.g., script tags, event handler injections) targeting City Guide URL parameters; note this is a probabilistic control and may be bypassed with encoding variations. Additionally, Content Security Policy (CSP) headers can be configured at the reverse proxy level to restrict inline script execution, significantly reducing exploitability even if the underlying injection persists - however, this requires verifying the application does not rely on inline scripts for legitimate functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today