Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus allows Cross-Site Scripting (XSS).
This issue affects Titarus: before 2.144.4.
AnalysisAI
Stored or reflected cross-site scripting in Verisay Titarus before version 2.144.4 allows authenticated remote attackers to inject malicious scripts into web pages rendered by the application, leading to high integrity impact on victim sessions. The flaw was reported by Turkey's national CSIRT (USOM) and no public exploit identified at time of analysis, with an EPSS score of 0.01% (3rd percentile) indicating very low near-term exploitation likelihood. The CVSS 3.1 base score of 7.6 is driven largely by the high integrity impact reflecting potential for account takeover or unauthorized actions performed on behalf of victims.
Technical ContextAI
Titarus is a product developed by Verisay Communication and Information Technology Industry and Trade Ltd. Co., a Turkish vendor. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical root cause for cross-site scripting. This class arises when user-controllable input is incorporated into HTML, JavaScript, or DOM contexts without context-appropriate output encoding, allowing browsers to execute attacker-supplied script in the security context of the application's origin. No CPE strings were published in the available intelligence, so the precise component (web UI module, administrative interface, or end-user form) injecting the unsanitized input is not identified.
Affected ProductsAI
Verisay Titarus at all versions prior to 2.144.4 is affected, per the CVE description; fixed in 2.144.4. No CPE strings are listed in the provided intelligence, and vendor advisories are available from Turkey's national CERT at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0485 and https://www.usom.gov.tr/bildirim/tr-25-0485, which should be consulted to confirm the exact product editions, modules, and deployment models in scope.
RemediationAI
Vendor-released patch: upgrade Titarus to 2.144.4 or later, which addresses the cross-site scripting flaw per the CVE record. Consult the USOM advisories at https://www.usom.gov.tr/bildirim/tr-25-0485 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0485 for vendor-specific guidance. As compensating controls until patching is complete, deploy a Content Security Policy that disallows inline scripts and untrusted script sources to reduce exploit impact (trade-off: may break legitimate inline scripts and require front-end refactoring), place the application behind a WAF with XSS rules tuned to the affected endpoints (trade-off: signature-based rules can be bypassed and may produce false positives on legitimate rich-text input), and restrict access to the affected interfaces to trusted users via network ACLs or VPN given that PR:L exploitation requires an authenticated session (trade-off: reduces accessibility for legitimate distributed users).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today