Skip to main content

Specto CM CVE-2025-2154

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-24 iletisim@usom.gov.tr
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 06, 2026 - 08:37 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Stored XSS.

This issue affects Specto CM: before 17032025.

AnalysisAI

Stored XSS in Specto CM, a call center management platform by Echo Call Center Services Trade and Industry Inc., allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect sessions or contexts beyond the attacker's own, elevating the practical impact for multi-user environments. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability at time of analysis.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a class of vulnerabilities where user-supplied input is stored server-side and later rendered without adequate sanitization or encoding. In Specto CM, user input is persisted and subsequently reflected into web pages, causing browsers to interpret attacker-controlled content as executable script. The CVSS scope value of 'Changed' (S:C) is significant - it confirms the injected script executes in a security context different from the attacker's own session, meaning a low-privileged agent or operator could target higher-privileged users such as supervisors or administrators. No CPE string was provided, so affected product scope is limited to vendor-reported version information.

Affected ProductsAI

Specto CM, developed by Echo Call Center Services Trade and Industry Inc., is affected in all versions prior to build 17032025 (interpreted as the date-versioned release of March 17, 2025). No CPE string was provided in the source data, so the affected scope is based solely on vendor-reported version information as published in the Turkish USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0480 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0480.

RemediationAI

Upgrade Specto CM to version 17032025 or later, as this is the first build identified as resolving the vulnerability per the USOM advisory (https://www.usom.gov.tr/bildirim/tr-25-0480). The fix version uses a date-based scheme (DDMMYYYY), so version 17032025 corresponds to March 17, 2025. If immediate patching is not feasible, restrict access to Specto CM to trusted internal networks only and enforce the principle of least privilege by limiting which user roles can submit free-form or rich-text input into the application. Review input fields across the platform for stored content that may already contain injected payloads and sanitize or purge suspect entries. Content Security Policy (CSP) headers, if configurable at the web server or application layer, can reduce the impact of any unpatched XSS by blocking inline script execution, though this does not eliminate the underlying vulnerability.

Share

CVE-2025-2154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy