GoldenHorn CVE-2025-13127
LOWSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TAC Information Services Internal and External Trade Inc. GoldenHorn allows Cross-Site Scripting (XSS).
This issue affects GoldenHorn: before 4.25.1121.1.
AnalysisAI
Cross-site scripting in GoldenHorn (a web-based trade management platform by TAC Information Services Internal and External Trade Inc.) allows a low-privileged authenticated attacker to inject malicious JavaScript into pages rendered by other users, resulting in limited confidentiality impact such as session token or data exfiltration. All versions prior to 4.25.1121.1 are affected. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability at time of analysis.
Technical ContextAI
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical root cause for reflected or stored cross-site scripting. GoldenHorn fails to adequately sanitize or encode user-supplied input before embedding it in dynamically generated HTML responses. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) confirms this is a network-accessible flaw with low attack complexity, meaning no special conditions or race conditions are needed to trigger it. No CPE string was provided in the source data, so precise platform or component enumeration beyond the vendor description is not possible. The vulnerability was reported by Turkey's national CERT (USOM) and disclosed via the Turkish National Cyber Security Authority advisory TR-25-0441.
Affected ProductsAI
GoldenHorn by TAC Information Services Internal and External Trade Inc., all versions prior to 4.25.1121.1 are confirmed affected per the NVD entry and USOM advisory TR-25-0441. No CPE string was provided in the source data, so platform-level enumeration (OS, web server) is not available. The fix boundary version 4.25.1121.1 is the vendor-stated threshold. Advisory references: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0441 and https://www.usom.gov.tr/bildirim/tr-25-0441.
RemediationAI
Upgrade GoldenHorn to version 4.25.1121.1 or later, which is the vendor-stated fix boundary per the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0441 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0441. If an immediate upgrade is not feasible, compensating controls include restricting access to GoldenHorn to trusted internal networks or VPN (reducing the network-accessible attack surface), enforcing strong authentication policies to raise the bar for obtaining the low-privileged account required for exploitation, and implementing a web application firewall (WAF) rule to detect and block reflected XSS payloads in HTTP responses - noting that WAF rules can produce false positives and do not substitute for a code-level fix. No independent patch release confirmation beyond the vendor advisory was available in the provided data.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today