Skip to main content

Online Support Application EUVDEUVD-2025-209611

| CVE-2025-14320 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-05-04 TR-CERT
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 09:15 vuln.today
EUVD ID Assigned
May 04, 2026 - 09:00 euvd
EUVD-2025-209611
Analysis Generated
May 04, 2026 - 09:00 vuln.today
CVE Published
May 04, 2026 - 07:41 nvd
CRITICAL 9.8

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS.

This issue affects Online Support Application: from V3 through 31122025.

AnalysisAI

Remote code execution via reflected XSS in Tegsoft Online Support Application V3 through build 31122025 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers with full application privileges. Despite being classified as CWE-79 (XSS), the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates critical impact typically reserved for RCE vulnerabilities, suggesting severe exploitation potential beyond typical XSS. Reported by TR-CERT (Turkish national CERT) with advisory published at USOM, indicating regional significance. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis.

Technical ContextAI

This vulnerability stems from improper neutralization of user-supplied input during HTML generation (CWE-79), commonly known as Cross-Site Scripting. The affected product is Tegsoft Management and Information Services Trade Limited Company's Online Support Application, specifically versions V3 through build dated 31122025 (CPE: cpe:2.3:a:tegsoft_management_and_information_services_trade_limited_company:online_support_application). Reflected XSS occurs when malicious scripts embedded in URLs or form inputs are immediately reflected back to users without proper sanitization or encoding. The unusually high CVSS score of 9.8 for an XSS vulnerability-matching scores typically assigned to unauthenticated remote code execution-suggests this may enable session hijacking of privileged accounts, CSRF token theft, or exploit chaining with backend vulnerabilities. Online support applications often handle sensitive customer data and administrative functions, amplifying the impact of successful XSS exploitation.

RemediationAI

Upgrade to Tegsoft Online Support Application build post-31122025 once vendor releases patched version addressing TR-26-0142. No specific fix version confirmed in available data-contact Tegsoft support referencing TR-CERT advisory TR-26-0142 to obtain current patch status and upgrade timeline. Consult Turkish USOM advisory at https://www.usom.gov.tr/bildirim/tr-26-0142 for official remediation guidance. If immediate patching is unavailable, implement Web Application Firewall (WAF) rules to block common XSS payloads in HTTP request parameters, though this creates detection blind spots for obfuscated attacks and adds latency to support portal response times. Deploy Content Security Policy (CSP) headers with strict script-src directives allowing only same-origin and explicitly whitelisted scripts, which breaks functionality if application relies on inline JavaScript or third-party CDN resources. Restrict network access to the Online Support Application to trusted IP ranges via firewall rules if business processes permit, reducing attack surface but preventing legitimate remote customer access. Given the UI:N CVSS designation, session timeout reduction and re-authentication requirements provide limited protection if exploitation requires no user interaction.

Share

EUVD-2025-209611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy