Hotech Otello CVE-2025-13183
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hotech Software Inc. Otello allows Stored XSS.
This issue affects Otello: from 2.4.0 before 2.4.4.
AnalysisAI
Stored cross-site scripting in Hotech Software's Otello product (versions 2.4.0 through 2.4.3) allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers upon viewing affected pages. Reported by Turkey's national CERT (USOM), the vulnerability carries a 7.3 CVSS score with high confidentiality and integrity impact, though no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.03%.
Technical ContextAI
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical class for cross-site scripting. As a stored XSS variant, the malicious payload is persisted server-side (typically in a database or file store) and rendered back to other users without adequate output encoding or input sanitization. Otello is a hospitality/PMS-oriented application developed by Hotech Software Inc., a Turkish vendor - the report came through Turkey's USOM/SibemGüvenlik national CERT channel. CPE strings were not provided in the available data, so exact configuration matching must rely on the version range stated in the advisory.
Affected ProductsAI
Hotech Software Inc. Otello is affected from version 2.4.0 up to but not including 2.4.4. No CPE strings were published in the provided NVD data, and no direct vendor advisory URL was supplied - the only references are the USOM/SibemGüvenlik Turkish CERT bulletin at https://www.usom.gov.tr/bildirim/tr-25-0476 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0476, which should be consulted for any additional product-edition or deployment caveats.
RemediationAI
Vendor-released patch: upgrade Otello to version 2.4.4 or later, which is the first fixed release per the affected-version range. Operators should consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0476 for vendor coordination details and confirm the exact patched build with Hotech Software directly, since no vendor URL was indexed in the public references. As compensating controls until patching, restrict the privilege levels that can submit content into stored fields (PR:L is required, so limiting who holds even low-privilege accounts reduces the injection surface), deploy a strict Content-Security-Policy header disallowing inline scripts to blunt payload execution (trade-off: may break legitimate inline scripts in the app and require allowlisting), and place a WAF rule in front of Otello to filter common XSS payloads in POST bodies to the affected endpoints (trade-off: false positives on legitimate rich-text input).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today