Proliz OBS CVE-2025-10914
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System) allows Reflected XSS.
This issue affects OBS (Student Affairs Information System): before V26.0401.
AnalysisAI
Reflected cross-site scripting in Proliz Software OBS (Student Affairs Information System) prior to V26.0401 allows remote attackers to execute arbitrary JavaScript in a victim's browser session after luring them to click a crafted link. The high CVSS of 7.6 reflects unauthenticated network exploitation with high confidentiality impact, though no public exploit identified at time of analysis and EPSS data was not provided. The flaw was reported by Turkey's national CERT (USOM), indicating regional relevance for Turkish higher-education institutions that use this Student Affairs platform.
Technical ContextAI
OBS (Öğrenci Bilgi Sistemi) is a Turkish-language Student Affairs Information System developed by Proliz Software Ltd. Co. and widely deployed at Turkish universities to manage enrollment, grades, transcripts, and student records. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): user-controlled input is reflected back into an HTTP response without proper output encoding or contextual escaping, so attacker-supplied script payloads execute in the trusted origin of the OBS web application. Because the vulnerability is reflected rather than stored, the malicious payload travels in the request (typically a URL parameter) and is echoed into the rendered page.
Affected ProductsAI
Proliz Software Ltd. Co. OBS (Student Affairs Information System / Öğrenci Bilgi Sistemi) at all versions before V26.0401 is affected. No CPE string was published in the available data. Vendor and national-CERT advisories are available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0357 and https://www.usom.gov.tr/bildirim/tr-25-0357.
RemediationAI
Upgrade Proliz OBS to V26.0401 or later, which is the vendor-released fixed version referenced in the USOM advisory (https://www.usom.gov.tr/bildirim/tr-25-0357 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0357). Until patching is possible, deploy a WAF rule or reverse-proxy filter that blocks request parameters containing common XSS payload patterns (script tags, javascript: URIs, on* event handlers) destined for OBS endpoints - with the trade-off of potential false positives on legitimate rich input. Additionally, enforce a strict Content-Security-Policy header that disallows inline script and restricts script-src to known origins, accepting that this may break legacy OBS UI features and require regression testing, and instruct staff and students to avoid clicking OBS links arriving via email or chat from untrusted sources.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today