Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS).
This issue affects Trizbi: before 2.144.4.
AnalysisAI
Stored or reflected cross-site scripting in Verisay Trizbi versions prior to 2.144.4 allows authenticated remote attackers to inject malicious script into web pages rendered to other users. The flaw was reported by Turkey's national CERT (USOM) and carries a CVSS 7.6 due to high integrity impact, though EPSS exploitation probability is very low at 0.01% and no public exploit identified at time of analysis.
Technical ContextAI
Trizbi is a web application developed by Verisay Communication and Information Technology Industry and Trade Ltd. Co., a Turkish vendor. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is reflected into HTML output without sufficient encoding or sanitization, allowing browser-interpreted script to execute in the context of the victim's session. Because the CVSS vector lists Scope:Unchanged with High integrity impact, the injected script likely affects application data and state visible to the authenticated session rather than crossing a trust boundary into another security domain.
Affected ProductsAI
Verisay Trizbi versions prior to 2.144.4 are affected. No CPE string was provided in the input data. Vendor and national advisories are published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0486 and https://www.usom.gov.tr/bildirim/tr-25-0486, both maintained by Turkey's USOM/national cybersecurity authority.
RemediationAI
Upgrade Trizbi to version 2.144.4 or later as the vendor-released patch addressing this issue; this is the only confirmed remediation path. Administrators should consult the Turkish national CERT advisories at https://www.usom.gov.tr/bildirim/tr-25-0486 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0486 for vendor-specific upgrade guidance. Until patching is feasible, compensating controls include deploying a strict Content-Security-Policy header that disallows inline scripts and restricts script-src to trusted origins (trade-off: may break legitimate inline scripts and require application testing), enabling HttpOnly and SameSite=Strict on session cookies to limit session theft (trade-off: may interfere with cross-origin integrations), and placing a WAF rule in front of Trizbi to block common XSS payload patterns on parameters reaching the affected functionality (trade-off: bypassable and may produce false positives).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today