Skip to main content

Trizbi CVE-2025-2406

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-25 iletisim@usom.gov.tr
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 06, 2026 - 08:34 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS).

This issue affects Trizbi: before 2.144.4.

AnalysisAI

Stored or reflected cross-site scripting in Verisay Trizbi versions prior to 2.144.4 allows authenticated remote attackers to inject malicious script into web pages rendered to other users. The flaw was reported by Turkey's national CERT (USOM) and carries a CVSS 7.6 due to high integrity impact, though EPSS exploitation probability is very low at 0.01% and no public exploit identified at time of analysis.

Technical ContextAI

Trizbi is a web application developed by Verisay Communication and Information Technology Industry and Trade Ltd. Co., a Turkish vendor. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is reflected into HTML output without sufficient encoding or sanitization, allowing browser-interpreted script to execute in the context of the victim's session. Because the CVSS vector lists Scope:Unchanged with High integrity impact, the injected script likely affects application data and state visible to the authenticated session rather than crossing a trust boundary into another security domain.

Affected ProductsAI

Verisay Trizbi versions prior to 2.144.4 are affected. No CPE string was provided in the input data. Vendor and national advisories are published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0486 and https://www.usom.gov.tr/bildirim/tr-25-0486, both maintained by Turkey's USOM/national cybersecurity authority.

RemediationAI

Upgrade Trizbi to version 2.144.4 or later as the vendor-released patch addressing this issue; this is the only confirmed remediation path. Administrators should consult the Turkish national CERT advisories at https://www.usom.gov.tr/bildirim/tr-25-0486 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0486 for vendor-specific upgrade guidance. Until patching is feasible, compensating controls include deploying a strict Content-Security-Policy header that disallows inline scripts and restricts script-src to trusted origins (trade-off: may break legitimate inline scripts and require application testing), enabling HttpOnly and SameSite=Strict on session cookies to limit session theft (trade-off: may interfere with cross-origin integrations), and placing a WAF rule in front of Trizbi to block common XSS payload patterns on parameters reaching the affected functionality (trade-off: bypassable and may produce false positives).

Share

CVE-2025-2406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy