Agentis CVE-2025-4284
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Rolantis Information Technologies Agentis allows Reflected XSS, DOM-Based XSS.
This issue affects Agentis: before 4.32.
AnalysisAI
Reflected and DOM-Based Cross-Site Scripting in Rolantis Information Technologies Agentis (all versions before 4.32) allows remote unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session when the victim is tricked into clicking a crafted URL. The Scope:Changed vector indicates injected script executes in the context of a different security origin than the vulnerable component. No public exploit code has been identified and EPSS sits at 0.17% (38th percentile), consistent with an unweaponized, newly disclosed web application flaw reported by Turkey's national CERT (USOM).
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) covers failure to sanitize user-controlled input before it is rendered in an HTML response or processed by the DOM. Two distinct XSS classes are present: Reflected XSS, where attacker-supplied query parameters are echoed into the server response without encoding; and DOM-Based XSS, where client-side JavaScript reads attacker-controlled sources (e.g., location.hash, document.referrer) and writes them to dangerous sinks without sanitization. No CPE strings were supplied, but the affected product is identified as 'Agentis' by Rolantis Information Technologies, versions prior to 4.32. The advisory was published by USOM (TR-25-0168) via siberguvenlik.gov.tr, Turkey's national cybersecurity authority.
Affected ProductsAI
Rolantis Information Technologies Agentis, all versions before 4.32, is confirmed affected per the USOM advisory TR-25-0168 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0168). No CPE strings were provided in the available data. No other vendor products are referenced in this disclosure.
RemediationAI
Upgrade Agentis to version 4.32 or later, which is the first release containing the fix per the USOM advisory TR-25-0168 available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0168 and https://www.usom.gov.tr/bildirim/tr-25-0168. If immediate patching is not feasible, deploy a Web Application Firewall (WAF) rule to block requests containing common XSS payloads in query parameters and URL fragments as a compensating control; note that WAF bypass techniques exist and this is not a substitute for patching. For the DOM-Based XSS vector specifically, enforcing a strict Content Security Policy (CSP) header that disallows inline script execution can reduce the exploitability of sink-based injection, though CSP configuration errors can undermine this control. Restrict access to Agentis endpoints to trusted networks or authenticated users where the application's use case permits, reducing the attack surface for the Reflected XSS vector.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today