Skip to main content

GoldenHorn CVE-2025-13127

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-12-10 iletisim@usom.gov.tr
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 07:39 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TAC Information Services Internal and External Trade Inc. GoldenHorn allows Cross-Site Scripting (XSS).

This issue affects GoldenHorn: before 4.25.1121.1.

AnalysisAI

Cross-site scripting in GoldenHorn (a web-based trade management platform by TAC Information Services Internal and External Trade Inc.) allows a low-privileged authenticated attacker to inject malicious JavaScript into pages rendered by other users, resulting in limited confidentiality impact such as session token or data exfiltration. All versions prior to 4.25.1121.1 are affected. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability at time of analysis.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical root cause for reflected or stored cross-site scripting. GoldenHorn fails to adequately sanitize or encode user-supplied input before embedding it in dynamically generated HTML responses. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) confirms this is a network-accessible flaw with low attack complexity, meaning no special conditions or race conditions are needed to trigger it. No CPE string was provided in the source data, so precise platform or component enumeration beyond the vendor description is not possible. The vulnerability was reported by Turkey's national CERT (USOM) and disclosed via the Turkish National Cyber Security Authority advisory TR-25-0441.

Affected ProductsAI

GoldenHorn by TAC Information Services Internal and External Trade Inc., all versions prior to 4.25.1121.1 are confirmed affected per the NVD entry and USOM advisory TR-25-0441. No CPE string was provided in the source data, so platform-level enumeration (OS, web server) is not available. The fix boundary version 4.25.1121.1 is the vendor-stated threshold. Advisory references: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0441 and https://www.usom.gov.tr/bildirim/tr-25-0441.

RemediationAI

Upgrade GoldenHorn to version 4.25.1121.1 or later, which is the vendor-stated fix boundary per the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0441 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0441. If an immediate upgrade is not feasible, compensating controls include restricting access to GoldenHorn to trusted internal networks or VPN (reducing the network-accessible attack surface), enforcing strong authentication policies to raise the bar for obtaining the low-privileged account required for exploitation, and implementing a web application firewall (WAF) rule to detect and block reflected XSS payloads in HTTP responses - noting that WAF rules can produce false positives and do not substitute for a code-level fix. No independent patch release confirmation beyond the vendor advisory was available in the provided data.

Share

CVE-2025-13127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy