Skip to main content

Dataprom PACS-ACSS CVE-2025-4411

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-23 iletisim@usom.gov.tr
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 16:41 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dataprom Informatics PACS-ACSS allows Cross-Site Scripting (XSS).

This issue affects PACS-ACSS: before 16.05.2025.

AnalysisAI

Cross-site scripting in Dataprom Informatics PACS-ACSS (Physical Access Control and Security System) affects all versions prior to the 16.05.2025 release, enabling unauthenticated remote attackers to inject and execute malicious scripts in the context of a victim's browser session. The CVSS vector assigns UI:N (no user interaction), which for XSS typically implies stored rather than reflected injection - meaning a payload planted in the system may execute automatically when administrators or operators view affected pages. No public exploit code has been identified at time of analysis, and no active exploitation is confirmed; however, the sensitivity of physical access control systems makes even moderate-severity XSS high-consequence in operational environments.

Technical ContextAI

PACS-ACSS is a web-based physical access control and security management platform developed by Dataprom Informatics, a Turkish vendor, used to manage building access, door controllers, and security events. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is echoed back into rendered HTML or JavaScript contexts without sufficient encoding or sanitization. The CVSS vector UI:N is noteworthy: classic reflected XSS requires a victim to follow a crafted link (UI:R), so the UI:N assignment suggests this may be a stored XSS variant where the payload persists in the application's data store and executes automatically when authorized users access the affected view. No CPE strings were provided; affected scope is all PACS-ACSS instances running software dated before 16.05.2025.

Affected ProductsAI

All versions of Dataprom Informatics PACS-ACSS released before 16.05.2025 are affected. No CPE identifier was provided in the available intelligence. The vulnerability was disclosed by the Turkish national cybersecurity authority USOM (TR-CERT) and reported via iletisim@usom.gov.tr. The full advisory is available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0171 and https://www.usom.gov.tr/bildirim/tr-25-0171. Specific build numbers or sub-versions below the cutoff date are not enumerated in the available data.

RemediationAI

Upgrade PACS-ACSS to the version released on or after 16.05.2025, as confirmed by the vendor advisory published by USOM at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0171. The exact patched build identifier was not independently confirmed from the available references - contact Dataprom Informatics directly to obtain the fixed package. If immediate patching is not feasible, restrict access to the PACS-ACSS web interface to trusted internal network segments or VPN only, reducing the attack surface for unauthenticated network-based injection. Implement a web application firewall (WAF) rule to detect and block common XSS payload patterns in HTTP request parameters and body; note this is a compensating control only and does not address the root cause. Enforce strict Content-Security-Policy (CSP) headers at the reverse proxy or load balancer layer to limit script execution contexts, though effectiveness depends on the specific injection point. Review audit logs for unexpected script-like strings in access logs as an indicator of exploitation attempts.

Share

CVE-2025-4411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy