Skip to main content

Hotech Otello CVE-2025-13183

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-23 iletisim@usom.gov.tr
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 07:36 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hotech Software Inc. Otello allows Stored XSS.

This issue affects Otello: from 2.4.0 before 2.4.4.

AnalysisAI

Stored cross-site scripting in Hotech Software's Otello product (versions 2.4.0 through 2.4.3) allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers upon viewing affected pages. Reported by Turkey's national CERT (USOM), the vulnerability carries a 7.3 CVSS score with high confidentiality and integrity impact, though no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.03%.

Technical ContextAI

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical class for cross-site scripting. As a stored XSS variant, the malicious payload is persisted server-side (typically in a database or file store) and rendered back to other users without adequate output encoding or input sanitization. Otello is a hospitality/PMS-oriented application developed by Hotech Software Inc., a Turkish vendor - the report came through Turkey's USOM/SibemGüvenlik national CERT channel. CPE strings were not provided in the available data, so exact configuration matching must rely on the version range stated in the advisory.

Affected ProductsAI

Hotech Software Inc. Otello is affected from version 2.4.0 up to but not including 2.4.4. No CPE strings were published in the provided NVD data, and no direct vendor advisory URL was supplied - the only references are the USOM/SibemGüvenlik Turkish CERT bulletin at https://www.usom.gov.tr/bildirim/tr-25-0476 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0476, which should be consulted for any additional product-edition or deployment caveats.

RemediationAI

Vendor-released patch: upgrade Otello to version 2.4.4 or later, which is the first fixed release per the affected-version range. Operators should consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0476 for vendor coordination details and confirm the exact patched build with Hotech Software directly, since no vendor URL was indexed in the public references. As compensating controls until patching, restrict the privilege levels that can submit content into stored fields (PR:L is required, so limiting who holds even low-privilege accounts reduces the injection surface), deploy a strict Content-Security-Policy header disallowing inline scripts to blunt payload execution (trade-off: may break legitimate inline scripts in the app and require allowlisting), and place a WAF rule in front of Otello to filter common XSS payloads in POST bodies to the affected endpoints (trade-off: false positives on legitimate rich-text input).

Share

CVE-2025-13183 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy