Skip to main content

e-BAP Automation CVE-2025-6924

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-09 iletisim@usom.gov.tr
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:40 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Reflected XSS.

This issue affects e-BAP Automation: before 42957.

AnalysisAI

Reflected XSS in Talent Software's e-BAP Automation platform (versions before build 42957) allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser by tricking them into clicking a crafted URL. The CVSS vector (PR:N/UI:R) confirms no attacker authentication is needed, but successful exploitation depends on social-engineering a valid application user. No active exploitation has been confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating low near-term exploitation probability.

Technical ContextAI

e-BAP Automation is a business process automation platform developed by Talent Software. The flaw is a Reflected Cross-Site Scripting vulnerability (CWE-79), a class of injection weakness where user-controlled input is incorporated into an HTTP response without sufficient output encoding or sanitization, causing the browser to interpret attacker-supplied data as executable script. In the reflected variant, the payload travels in the request (typically a URL query parameter) and is mirrored back in the immediate response rather than persisted in a database. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U captures the attack profile: network-accessible, low complexity, no attacker privileges required, user interaction required, and unchanged scope - meaning the injected script executes within the application's own origin but cannot directly break out to the broader host system. No CPE strings were provided in the advisory, so platform or OS specifics are not independently confirmed.

Affected ProductsAI

Talent Software e-BAP Automation all versions before build 42957 are affected. No CPE string was included in the advisory data, so platform, OS, or deployment-mode scope cannot be independently confirmed from available intelligence. The vulnerability was disclosed by Turkey's national CERT (USOM/TR-CERT) via advisory TR-25-0434, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0434 and https://www.usom.gov.tr/bildirim/tr-25-0434.

RemediationAI

Upgrade e-BAP Automation to build 42957 or later - this is the confirmed fix version per USOM advisory TR-25-0434 (https://www.usom.gov.tr/bildirim/tr-25-0434); contact Talent Software directly for the patch package and release notes. As a compensating control pending upgrade, deploying a Web Application Firewall with XSS-specific filtering rules can intercept reflected script payloads, though coverage depends on rule quality and tuning, and overly aggressive rules may generate false positives on legitimate traffic. Enforcing a strict Content Security Policy (CSP) header on the application - if the platform supports custom response headers - can limit script execution scope even if a payload reaches the browser. Additionally, user awareness training regarding unsolicited or suspicious application URLs reduces practical exposure, since exploitation requires the victim to interact with a crafted link (UI:R). Note that CSP and WAF mitigations treat the symptom rather than the root cause and should not substitute for patching.

Share

CVE-2025-6924 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy