Skip to main content

City Guide CVE-2025-10612

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-10-21 iletisim@usom.gov.tr
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 09:32 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in giSoft Information Technologies City Guide allows Reflected XSS.

This issue affects City Guide: before 1.4.45.

AnalysisAI

Reflected XSS in City Guide (giSoft Information Technologies) before version 1.4.45 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The CVSS Changed Scope (S:C) indicates the injected script can affect resources outside the vulnerable application's security domain - such as the user's broader browser session - enabling session theft, credential harvesting, or UI redirection. No public exploit identified at time of analysis, and an EPSS score of 0.03% at the 7th percentile reflects very low observed exploitation probability.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) is a classic Reflected XSS root cause, where attacker-controlled input is embedded into an HTTP response without adequate sanitization or output encoding. The vulnerability resides in City Guide, a web-based city information application developed by Turkish vendor giSoft Information Technologies. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C confirms the flaw is network-reachable, requires no authentication or complex conditions on the attacker's side, demands a single victim interaction (clicking a link), and has Changed Scope - meaning the injected script can cross component boundaries within the browser context. No CPE strings were provided in the source data, so affected platform specifics beyond the version range are not available.

Affected ProductsAI

City Guide by giSoft Information Technologies is affected in all versions prior to 1.4.45. The fix version 1.4.45 is confirmed by vendor advisory TR-25-0350, published by Turkey's national CERT (USOM/SOME) at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0350 and https://www.usom.gov.tr/bildirim/tr-25-0350. No CPE strings were provided, so additional platform or deployment-type constraints cannot be confirmed from available data.

RemediationAI

Upgrade City Guide to version 1.4.45 or later - this is the vendor-confirmed patched release per advisory TR-25-0350. Full advisory details are available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0350. If immediate patching is not feasible, a compensating control is to deploy a Web Application Firewall (WAF) rule to block requests containing common XSS payloads (e.g., script tags, event handler injections) targeting City Guide URL parameters; note this is a probabilistic control and may be bypassed with encoding variations. Additionally, Content Security Policy (CSP) headers can be configured at the reverse proxy level to restrict inline script execution, significantly reducing exploitability even if the underlying injection persists - however, this requires verifying the application does not rely on inline scripts for legitimate functionality.

Share

CVE-2025-10612 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy