Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS.
This issue affects Online Support Application: from V3 through 31122025.
AnalysisAI
Remote code execution via reflected XSS in Tegsoft Online Support Application V3 through build 31122025 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers with full application privileges. Despite being classified as CWE-79 (XSS), the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates critical impact typically reserved for RCE vulnerabilities, suggesting severe exploitation potential beyond typical XSS. Reported by TR-CERT (Turkish national CERT) with advisory published at USOM, indicating regional significance. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis.
Technical ContextAI
This vulnerability stems from improper neutralization of user-supplied input during HTML generation (CWE-79), commonly known as Cross-Site Scripting. The affected product is Tegsoft Management and Information Services Trade Limited Company's Online Support Application, specifically versions V3 through build dated 31122025 (CPE: cpe:2.3:a:tegsoft_management_and_information_services_trade_limited_company:online_support_application). Reflected XSS occurs when malicious scripts embedded in URLs or form inputs are immediately reflected back to users without proper sanitization or encoding. The unusually high CVSS score of 9.8 for an XSS vulnerability-matching scores typically assigned to unauthenticated remote code execution-suggests this may enable session hijacking of privileged accounts, CSRF token theft, or exploit chaining with backend vulnerabilities. Online support applications often handle sensitive customer data and administrative functions, amplifying the impact of successful XSS exploitation.
RemediationAI
Upgrade to Tegsoft Online Support Application build post-31122025 once vendor releases patched version addressing TR-26-0142. No specific fix version confirmed in available data-contact Tegsoft support referencing TR-CERT advisory TR-26-0142 to obtain current patch status and upgrade timeline. Consult Turkish USOM advisory at https://www.usom.gov.tr/bildirim/tr-26-0142 for official remediation guidance. If immediate patching is unavailable, implement Web Application Firewall (WAF) rules to block common XSS payloads in HTTP request parameters, though this creates detection blind spots for obfuscated attacks and adds latency to support portal response times. Deploy Content Security Policy (CSP) headers with strict script-src directives allowing only same-origin and explicitly whitelisted scripts, which breaks functionality if application relies on inline JavaScript or third-party CDN resources. Restrict network access to the Online Support Application to trusted IP ranges via firewall rules if business processes permit, reducing attack surface but preventing legitimate remote customer access. Given the UI:N CVSS designation, session timeout reduction and re-authentication requirements provide limited protection if exploitation requires no user interaction.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209611