Skip to main content

Library Automation System CVE-2025-15023

| EUVD-2025-209858 HIGH
Incorrect Authorization (CWE-863)
2026-05-14 iletisim@usom.gov.tr GHSA-h279-5fw7-cc3m
Authentication Bypass
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 18:30 vuln.today
CVE Published
May 14, 2026 - 18:16 nvd
HIGH 8.8

DescriptionNVD

Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Library Automation System: from v.19.5 before v.22.1.

AnalysisAI

Remote attackers can bypass access controls in Yordam Library Automation System versions 19.5 through 22.0, achieving high confidentiality, integrity, and availability impact through incorrectly configured security levels. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling unauthorized access to library management functions. Reported by Turkey's national CERT (USOM), indicating regional awareness though not yet confirmed for active exploitation or CISA KEV listing.

Technical ContextAI

This is an incorrect authorization vulnerability (CWE-863) in a library management software platform developed by Yordam Information Technology. CWE-863 represents failures to properly verify whether an actor has permission to perform requested actions, distinct from authentication failures. The vulnerability stems from misconfigured access control security levels within the application's authorization framework, allowing privilege escalation or unauthorized function access once a user interacts with the system. Library automation systems typically manage patron records, cataloging, circulation, acquisitions, and administrative functions - all sensitive operations requiring strict role-based access controls.

RemediationAI

Upgrade to Yordam Library Automation System version 22.1 or later, which corrects the access control security level configuration flaw according to the Turkish USOM advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240. Organizations unable to immediately upgrade should implement network-layer access restrictions limiting system access to trusted IP ranges or VPN-authenticated users, reducing exposure to external attackers who would exploit the network vector. Review and harden web application firewall rules to detect anomalous authorization requests if WAF is deployed. Audit existing user accounts and session logs for unauthorized access that may have occurred prior to patching, particularly focusing on administrative function usage by non-privileged accounts. Note that network restrictions may impact legitimate remote patron access if the system provides public-facing services.

Share

CVE-2025-15023 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy