Skip to main content

Aidango CVE-2025-2307

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-25 iletisim@usom.gov.tr
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 06, 2026 - 08:33 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango allows Cross-Site Scripting (XSS).

This issue affects Aidango: before 2.144.4.

AnalysisAI

Stored or reflected cross-site scripting in Verisay Aidango versions prior to 2.144.4 allows authenticated low-privileged attackers to inject malicious script content that executes in other users' browsers. The flaw was reported by Turkey's USOM CERT (iletisim@usom.gov.tr) and carries a CVSS 7.6 rating driven by high integrity impact, though EPSS scores it at only 0.01% (3rd percentile) and no public exploit identified at time of analysis.

Technical ContextAI

Aidango is a product from Verisay Communication and Information Technology Industry and Trade Ltd. Co., a Turkish vendor whose products are tracked by the Turkish national CERT (USOM/TR-CERT). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is rendered into HTML/JavaScript context without adequate output encoding or sanitization. When a victim loads the affected page, the injected payload executes within the trust boundary of the Aidango web application, giving the attacker access to session cookies, DOM state, and authenticated actions performed as the victim.

Affected ProductsAI

Verisay Aidango all versions before 2.144.4 are affected; no CPE strings were provided in the input data, and no vendor advisory URL is included in the references. The two references both point to Turkey's national CERT (USOM) advisory TR-25-0487 at https://www.usom.gov.tr/bildirim/tr-25-0487 and the mirror at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0487, which is the authoritative public disclosure for this issue.

RemediationAI

Upgrade Aidango to version 2.144.4 or later, which is the vendor-released patch identified by USOM advisory TR-25-0487 (https://www.usom.gov.tr/bildirim/tr-25-0487). If immediate patching is not possible, compensating controls include deploying a Content Security Policy that disallows inline scripts and restricts script sources to break payload execution (side effect: may break legitimate inline scripts and require application testing), placing a WAF in front of Aidango with XSS signature rules tuned to the application's input fields (side effect: false positives on legitimate rich-text input), and restricting Aidango access to trusted internal networks via VPN or IP allowlisting to shrink the attacker population given that PR:L authentication is required. Set HttpOnly and SameSite=Strict on session cookies to limit session theft impact even if injection succeeds.

Share

CVE-2025-2307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy