Skip to main content

CityPLus CVE-2025-11151

HIGH
Information Exposure (CWE-200)
2025-10-21 iletisim@usom.gov.tr
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 20:31 vuln.today

DescriptionCVE.org

Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beyaz Bilgisayar Software Design Industry and Trade Ltd. Co. CityPLus allows Detect Unpublicized Web Pages.

This issue affects CityPLus: before V24.29500.1.0.

AnalysisAI

Information disclosure in Beyaz Bilgisayar CityPLus versions before V24.29500.1.0 allows remote unauthenticated attackers to discover unpublicized web pages and sensitive system information. The flaw is reported by Turkey's national CERT (USOM) and carries a CVSS 8.2 score reflecting network-reachable exposure of confidential data without authentication. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

CityPLus is a municipal/city management software product from Beyaz Bilgisayar Yazilim Tasarim Sanayi ve Ticaret Ltd. Sti., a Turkish software vendor. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), with the additional dimension of CWE-497-style exposure of system information to an unauthorized control sphere. In practical terms, the application fails to properly enforce authorization or visibility boundaries around web pages that were intended to remain unpublished or internal, allowing unauthenticated callers to enumerate and access them directly. No CPE strings were published in the available data, which limits precise component-level attribution.

Affected ProductsAI

CityPLus by Beyaz Bilgisayar Yazilim Tasarim Sanayi ve Ticaret Ltd. Sti. is affected in all versions prior to V24.29500.1.0. No CPE string is published in the available intelligence. Vendor and national CERT advisories are available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0351 and https://www.usom.gov.tr/bildirim/tr-25-0351.

RemediationAI

Upgrade CityPLus to version V24.29500.1.0 or later, which is the vendor-released fix referenced in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0351 and the Turkish national cybersecurity bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0351. Until patching is completed, restrict network exposure of the CityPLus web interface to trusted municipal networks or VPN-only access via firewall ACLs (trade-off: breaks any legitimate public citizen-facing portal use), and place the application behind a reverse proxy or WAF configured to deny direct requests to non-linked or administrative paths (trade-off: requires maintaining an allowlist of intentionally public routes and may block legitimate deep links). Monitor web server access logs for sequential or dictionary-style URL probing as a detection compensating control.

Share

CVE-2025-11151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy