CityPLus CVE-2025-11151
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beyaz Bilgisayar Software Design Industry and Trade Ltd. Co. CityPLus allows Detect Unpublicized Web Pages.
This issue affects CityPLus: before V24.29500.1.0.
AnalysisAI
Information disclosure in Beyaz Bilgisayar CityPLus versions before V24.29500.1.0 allows remote unauthenticated attackers to discover unpublicized web pages and sensitive system information. The flaw is reported by Turkey's national CERT (USOM) and carries a CVSS 8.2 score reflecting network-reachable exposure of confidential data without authentication. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
CityPLus is a municipal/city management software product from Beyaz Bilgisayar Yazilim Tasarim Sanayi ve Ticaret Ltd. Sti., a Turkish software vendor. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), with the additional dimension of CWE-497-style exposure of system information to an unauthorized control sphere. In practical terms, the application fails to properly enforce authorization or visibility boundaries around web pages that were intended to remain unpublished or internal, allowing unauthenticated callers to enumerate and access them directly. No CPE strings were published in the available data, which limits precise component-level attribution.
Affected ProductsAI
CityPLus by Beyaz Bilgisayar Yazilim Tasarim Sanayi ve Ticaret Ltd. Sti. is affected in all versions prior to V24.29500.1.0. No CPE string is published in the available intelligence. Vendor and national CERT advisories are available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0351 and https://www.usom.gov.tr/bildirim/tr-25-0351.
RemediationAI
Upgrade CityPLus to version V24.29500.1.0 or later, which is the vendor-released fix referenced in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0351 and the Turkish national cybersecurity bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0351. Until patching is completed, restrict network exposure of the CityPLus web interface to trusted municipal networks or VPN-only access via firewall ACLs (trade-off: breaks any legitimate public citizen-facing portal use), and place the application behind a reverse proxy or WAF configured to deny direct requests to non-linked or administrative paths (trade-off: requires maintaining an allowlist of intentionally public routes and may block legitimate deep links). Monitor web server access logs for sequential or dictionary-style URL probing as a detection compensating control.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today