Specto CM CVE-2025-2154
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Stored XSS.
This issue affects Specto CM: before 17032025.
AnalysisAI
Stored XSS in Specto CM, a call center management platform by Echo Call Center Services Trade and Industry Inc., allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect sessions or contexts beyond the attacker's own, elevating the practical impact for multi-user environments. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability at time of analysis.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a class of vulnerabilities where user-supplied input is stored server-side and later rendered without adequate sanitization or encoding. In Specto CM, user input is persisted and subsequently reflected into web pages, causing browsers to interpret attacker-controlled content as executable script. The CVSS scope value of 'Changed' (S:C) is significant - it confirms the injected script executes in a security context different from the attacker's own session, meaning a low-privileged agent or operator could target higher-privileged users such as supervisors or administrators. No CPE string was provided, so affected product scope is limited to vendor-reported version information.
Affected ProductsAI
Specto CM, developed by Echo Call Center Services Trade and Industry Inc., is affected in all versions prior to build 17032025 (interpreted as the date-versioned release of March 17, 2025). No CPE string was provided in the source data, so the affected scope is based solely on vendor-reported version information as published in the Turkish USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0480 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0480.
RemediationAI
Upgrade Specto CM to version 17032025 or later, as this is the first build identified as resolving the vulnerability per the USOM advisory (https://www.usom.gov.tr/bildirim/tr-25-0480). The fix version uses a date-based scheme (DDMMYYYY), so version 17032025 corresponds to March 17, 2025. If immediate patching is not feasible, restrict access to Specto CM to trusted internal networks only and enforce the principle of least privilege by limiting which user roles can submit free-form or rich-text input into the application. Review input fields across the platform for stored content that may already contain injected payloads and sanitize or purge suspect entries. Content Security Policy (CSP) headers, if configurable at the web server or application layer, can reduce the impact of any unpatched XSS by blocking inline script execution, though this does not eliminate the underlying vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today