Talent Software UNIS CVE-2025-6923
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software UNIS allows Reflected XSS.
This issue affects UNIS: before 42957.
AnalysisAI
Reflected cross-site scripting in Talent Software UNIS allows unauthenticated remote attackers to inject and execute malicious JavaScript in a victim's browser session. All UNIS versions prior to build 42957 are affected, as disclosed by Turkey's national CERT (USOM). No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability.
Technical ContextAI
UNIS is a web-based enterprise platform developed by Talent Software. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-supplied input is reflected back into HTTP responses without adequate sanitization or encoding, enabling script injection. The reflected variant means the payload is delivered via the request itself (e.g., a crafted URL parameter) rather than stored server-side, requiring the victim to trigger the request. The CVSS vector confirms network delivery (AV:N), low complexity (AC:L), and no required privileges (PR:N), consistent with a URL-based injection point exposed to the public web. No CPE string was provided in the source data, so exact affected component scope is limited to the version range stated in the advisory.
Affected ProductsAI
Talent Software UNIS is affected in all versions prior to build 42957. No CPE string was included in the advisory data, so the affected component scope cannot be further narrowed beyond the vendor-stated version boundary. The vulnerability was disclosed by USOM (Turkey's national cybersecurity authority) via advisory TR-25-0435, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0435 and https://www.usom.gov.tr/bildirim/tr-25-0435.
RemediationAI
Upgrade Talent Software UNIS to build 42957 or later, which is the vendor-indicated fix version per USOM advisory TR-25-0435. Organizations should prioritize updating any publicly accessible UNIS instances or those reachable from untrusted networks. If immediate patching is not feasible, deploy a Web Application Firewall (WAF) rule to block reflected XSS payloads on UNIS endpoints as a compensating control, though this may interfere with legitimate form submissions and requires careful tuning. Additionally, restrict access to UNIS to trusted networks or authenticated VPN sessions where architecturally possible, reducing the pool of potential attackers despite the PR:N vector. Advisory references: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0435 and https://www.usom.gov.tr/bildirim/tr-25-0435.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today