Skip to main content

Talent Software UNIS CVE-2025-6923

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-09 iletisim@usom.gov.tr
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:39 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software UNIS allows Reflected XSS.

This issue affects UNIS: before 42957.

AnalysisAI

Reflected cross-site scripting in Talent Software UNIS allows unauthenticated remote attackers to inject and execute malicious JavaScript in a victim's browser session. All UNIS versions prior to build 42957 are affected, as disclosed by Turkey's national CERT (USOM). No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability.

Technical ContextAI

UNIS is a web-based enterprise platform developed by Talent Software. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-supplied input is reflected back into HTTP responses without adequate sanitization or encoding, enabling script injection. The reflected variant means the payload is delivered via the request itself (e.g., a crafted URL parameter) rather than stored server-side, requiring the victim to trigger the request. The CVSS vector confirms network delivery (AV:N), low complexity (AC:L), and no required privileges (PR:N), consistent with a URL-based injection point exposed to the public web. No CPE string was provided in the source data, so exact affected component scope is limited to the version range stated in the advisory.

Affected ProductsAI

Talent Software UNIS is affected in all versions prior to build 42957. No CPE string was included in the advisory data, so the affected component scope cannot be further narrowed beyond the vendor-stated version boundary. The vulnerability was disclosed by USOM (Turkey's national cybersecurity authority) via advisory TR-25-0435, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0435 and https://www.usom.gov.tr/bildirim/tr-25-0435.

RemediationAI

Upgrade Talent Software UNIS to build 42957 or later, which is the vendor-indicated fix version per USOM advisory TR-25-0435. Organizations should prioritize updating any publicly accessible UNIS instances or those reachable from untrusted networks. If immediate patching is not feasible, deploy a Web Application Firewall (WAF) rule to block reflected XSS payloads on UNIS endpoints as a compensating control, though this may interfere with legitimate form submissions and requires careful tuning. Additionally, restrict access to UNIS to trusted networks or authenticated VPN sessions where architecturally possible, reducing the pool of potential attackers despite the PR:N vector. Advisory references: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0435 and https://www.usom.gov.tr/bildirim/tr-25-0435.

Share

CVE-2025-6923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy