Skip to main content

Proliz OBS CVE-2025-14347

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-17 iletisim@usom.gov.tr
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 07:40 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. OBS (Student Affairs Information System)0 allows Reflected XSS.

This issue affects OBS (Student Affairs Information System)0: before 26.5009.

AnalysisAI

Reflected XSS in Proliz Software Ltd. OBS (Student Affairs Information System) versions before 26.5009 allows authenticated low-privileged attackers to inject and execute malicious scripts in a victim user's browser session. The attack requires the victim to interact with a crafted URL, but upon success the confidentiality impact is rated High - meaningful in an academic context where sensitive student records and PII may be accessible. No public exploit code or CISA KEV listing exists; EPSS at 0.03% (8th percentile) indicates very low automated exploitation probability, suggesting risk is primarily confined to targeted attacks against specific Turkish educational institutions using this platform.

Technical ContextAI

The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the Reflected XSS subtype, where user-supplied input in HTTP request parameters is echoed back in server responses without proper output encoding or sanitization. OBS (Student Affairs Information System) is a web-based academic management platform developed by Proliz Software Ltd. and deployed in Turkish educational institutions. The CVSS vector AV:N/AC:L confirms the vulnerable parameter is accessible over the network with no special conditions, while PR:L indicates a low-privilege authenticated session is sufficient to submit the malicious payload. No CPE string was provided in the source data, so the precise affected component within OBS cannot be pinpointed beyond the version boundary of before 26.5009. The vulnerability was disclosed by Turkey's national CERT (USOM/TR-CERT) under advisory TR-25-0463.

Affected ProductsAI

Proliz Software Ltd. OBS (Student Affairs Information System), all versions prior to 26.5009, is confirmed affected per the CVE description and USOM advisory TR-25-0463. The advisory is published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0463 and https://www.usom.gov.tr/bildirim/tr-25-0463. No CPE string was included in the source data; the version boundary is stated only as 'before 26.5009.' No other Proliz products are identified as affected in available data.

RemediationAI

Upgrade OBS to version 26.5009 or later, which is the vendor-confirmed fix boundary per USOM advisory TR-25-0463 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0463). If immediate patching is not possible, administrators should restrict access to the OBS web interface to trusted internal networks or via VPN, reducing exposure to external attackers. Deploying a Web Application Firewall with XSS detection rules can intercept reflected payloads, though overly aggressive rules risk breaking legitimate form submissions - test in detection-only mode before enforcing. Implementing a strict Content-Security-Policy response header (e.g., default-src 'self') will prevent injected scripts from loading external resources or exfiltrating data, though this may require application-level testing for compatibility. Users should be advised not to follow unsolicited links referencing the OBS portal. No independent Proliz Software vendor advisory URL was found in the reference data beyond the USOM disclosure.

Share

CVE-2025-14347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy