Dataprom PACS-ACSS CVE-2025-4411
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dataprom Informatics PACS-ACSS allows Cross-Site Scripting (XSS).
This issue affects PACS-ACSS: before 16.05.2025.
AnalysisAI
Cross-site scripting in Dataprom Informatics PACS-ACSS (Physical Access Control and Security System) affects all versions prior to the 16.05.2025 release, enabling unauthenticated remote attackers to inject and execute malicious scripts in the context of a victim's browser session. The CVSS vector assigns UI:N (no user interaction), which for XSS typically implies stored rather than reflected injection - meaning a payload planted in the system may execute automatically when administrators or operators view affected pages. No public exploit code has been identified at time of analysis, and no active exploitation is confirmed; however, the sensitivity of physical access control systems makes even moderate-severity XSS high-consequence in operational environments.
Technical ContextAI
PACS-ACSS is a web-based physical access control and security management platform developed by Dataprom Informatics, a Turkish vendor, used to manage building access, door controllers, and security events. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is echoed back into rendered HTML or JavaScript contexts without sufficient encoding or sanitization. The CVSS vector UI:N is noteworthy: classic reflected XSS requires a victim to follow a crafted link (UI:R), so the UI:N assignment suggests this may be a stored XSS variant where the payload persists in the application's data store and executes automatically when authorized users access the affected view. No CPE strings were provided; affected scope is all PACS-ACSS instances running software dated before 16.05.2025.
Affected ProductsAI
All versions of Dataprom Informatics PACS-ACSS released before 16.05.2025 are affected. No CPE identifier was provided in the available intelligence. The vulnerability was disclosed by the Turkish national cybersecurity authority USOM (TR-CERT) and reported via iletisim@usom.gov.tr. The full advisory is available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0171 and https://www.usom.gov.tr/bildirim/tr-25-0171. Specific build numbers or sub-versions below the cutoff date are not enumerated in the available data.
RemediationAI
Upgrade PACS-ACSS to the version released on or after 16.05.2025, as confirmed by the vendor advisory published by USOM at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0171. The exact patched build identifier was not independently confirmed from the available references - contact Dataprom Informatics directly to obtain the fixed package. If immediate patching is not feasible, restrict access to the PACS-ACSS web interface to trusted internal network segments or VPN only, reducing the attack surface for unauthenticated network-based injection. Implement a web application firewall (WAF) rule to detect and block common XSS payload patterns in HTTP request parameters and body; note this is a compensating control only and does not address the root cause. Enforce strict Content-Security-Policy (CSP) headers at the reverse proxy or load balancer layer to limit script execution contexts, though effectiveness depends on the specific injection point. Review audit logs for unexpected script-like strings in access logs as an indicator of exploitation attempts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today