e-BAP Automation CVE-2025-6924
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Reflected XSS.
This issue affects e-BAP Automation: before 42957.
AnalysisAI
Reflected XSS in Talent Software's e-BAP Automation platform (versions before build 42957) allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser by tricking them into clicking a crafted URL. The CVSS vector (PR:N/UI:R) confirms no attacker authentication is needed, but successful exploitation depends on social-engineering a valid application user. No active exploitation has been confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating low near-term exploitation probability.
Technical ContextAI
e-BAP Automation is a business process automation platform developed by Talent Software. The flaw is a Reflected Cross-Site Scripting vulnerability (CWE-79), a class of injection weakness where user-controlled input is incorporated into an HTTP response without sufficient output encoding or sanitization, causing the browser to interpret attacker-supplied data as executable script. In the reflected variant, the payload travels in the request (typically a URL query parameter) and is mirrored back in the immediate response rather than persisted in a database. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U captures the attack profile: network-accessible, low complexity, no attacker privileges required, user interaction required, and unchanged scope - meaning the injected script executes within the application's own origin but cannot directly break out to the broader host system. No CPE strings were provided in the advisory, so platform or OS specifics are not independently confirmed.
Affected ProductsAI
Talent Software e-BAP Automation all versions before build 42957 are affected. No CPE string was included in the advisory data, so platform, OS, or deployment-mode scope cannot be independently confirmed from available intelligence. The vulnerability was disclosed by Turkey's national CERT (USOM/TR-CERT) via advisory TR-25-0434, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0434 and https://www.usom.gov.tr/bildirim/tr-25-0434.
RemediationAI
Upgrade e-BAP Automation to build 42957 or later - this is the confirmed fix version per USOM advisory TR-25-0434 (https://www.usom.gov.tr/bildirim/tr-25-0434); contact Talent Software directly for the patch package and release notes. As a compensating control pending upgrade, deploying a Web Application Firewall with XSS-specific filtering rules can intercept reflected script payloads, though coverage depends on rule quality and tuning, and overly aggressive rules may generate false positives on legitimate traffic. Enforcing a strict Content Security Policy (CSP) header on the application - if the platform supports custom response headers - can limit script execution scope even if a payload reaches the browser. Additionally, user awareness training regarding unsolicited or suspicious application URLs reduces practical exposure, since exploitation requires the victim to interact with a crafted link (UI:R). Note that CSP and WAF mitigations treat the symptom rather than the root cause and should not substitute for patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today