Skip to main content

AcBakImzala CVE-2025-10727

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-10-23 iletisim@usom.gov.tr
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 09:33 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows Reflected XSS.

This issue affects AcBakImzala: before v5.1.4.

AnalysisAI

Reflected XSS in AcBakImzala, ArkSigner's document signing application, affects all versions before v5.1.4 and allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser. The attack requires the victim to interact with a crafted URL, limiting automated exploitation, but the low attack complexity and absence of authentication requirements make social-engineering-based delivery straightforward. No public exploit code or CISA KEV listing has been identified; EPSS is very low at 0.03% (9th percentile), consistent with limited observed exploitation interest at this time.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a class of flaws where attacker-controlled input from an HTTP request is echoed back into a server response without adequate sanitization or output encoding, causing the client browser to interpret it as executable script. AcBakImzala ('Open, View, Sign') is a web-based digital document signing platform developed by Turkish vendor ArkSigner Software and Hardware Inc.; the reflected nature of this XSS indicates that at least one request parameter is rendered unsanitized in the HTTP response. No CPE strings were provided in the source intelligence, so exact affected components within the application cannot be further scoped beyond the vendor's stated version range (before v5.1.4). The vulnerability was reported to Turkey's National Cyber Incident Response Center (USOM) and published under advisory TR-25-0356.

Affected ProductsAI

AcBakImzala by ArkSigner Software and Hardware Inc. is affected in all versions prior to v5.1.4. The affected version range is stated explicitly in the NVD description ('before v5.1.4'). No CPE strings were included in the source intelligence, so fine-grained platform or module scoping is not possible beyond this version boundary. The vendor advisory is published by Turkey's USOM at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0356 and https://www.usom.gov.tr/bildirim/tr-25-0356.

RemediationAI

The primary fix is to upgrade AcBakImzala to version v5.1.4 or later, as confirmed by the NVD description and USOM advisory TR-25-0356 (https://www.usom.gov.tr/bildirim/tr-25-0356). Organizations unable to update immediately should consider restricting access to the AcBakImzala web interface to trusted internal networks or VPN, which eliminates the network attack surface without disabling the application entirely; the trade-off is reduced accessibility for remote users. Deploying a Web Application Firewall (WAF) rule to detect and block reflected XSS payloads in request parameters targeting AcBakImzala endpoints can serve as a compensating control, though WAF bypass techniques exist and this should not replace patching. User awareness training to avoid clicking unsolicited links to the signing portal may reduce social-engineering effectiveness in the interim.

Share

CVE-2025-10727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy