Skip to main content

Yordam Library Automation System EUVDEUVD-2025-209843

| CVE-2025-15025 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 TR-CERT GHSA-hjg6-2c9h-3rgp
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 14:00 vuln.today
CVE Published
May 14, 2026 - 12:59 nvd
HIGH 8.8

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploitation of Trusted Identifiers.

This issue affects Library Automation System: from v.21.6 before v.22.1.

AnalysisAI

Authentication bypass in Yordam Library Automation System versions 21.6 through 22.0 enables remote attackers to impersonate legitimate users and gain unauthorized administrative access by manipulating user identifiers in requests. Attackers who successfully exploit this vulnerability can achieve full system compromise including reading sensitive library records, modifying catalog data, and disrupting availability. The vulnerability requires user interaction (likely social engineering or malicious link), but no authentication, making it accessible to external threat actors. TR-CERT has published an advisory confirming the issue affects Turkish government and educational institutions using this library management platform.

Technical ContextAI

This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a flaw where the application uses client-controlled data to determine authorization decisions without proper validation. In library automation systems, this typically manifests when session tokens, user IDs, or role identifiers in HTTP parameters, cookies, or headers can be modified by attackers to assume another user's identity. The CVSS vector indicates network-based exploitation with low complexity, suggesting the vulnerable parameter is easily identified and manipulated through standard web traffic. Yordam Library Automation System is a comprehensive integrated library system (ILS) used primarily in Turkish institutions for cataloging, circulation, acquisitions, and patron management. The affected CPE identifies this as a specific product from Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc., affecting all versions in the 21.6 branch prior to the 22.1 release.

RemediationAI

Upgrade Yordam Library Automation System to version 22.1 or later, which contains vendor-confirmed fixes for the authorization bypass vulnerability. Organizations should obtain the patched version directly from Yordam Information Technology or through their authorized support channels, referencing TR-CERT advisory TR-26-0240. During the upgrade window, implement compensating controls: restrict network access to the library system's administrative interfaces using IP allowlisting to limit exposure to trusted networks only, deploy web application firewall (WAF) rules to detect and block requests with manipulated user identifier parameters (coordinate with Yordam support to identify vulnerable parameters without breaking legitimate functionality), enable comprehensive audit logging for all authentication and authorization events to detect exploitation attempts, and conduct user awareness training focused on recognizing phishing attacks that could deliver malicious links exploiting this vulnerability. Note that network restrictions may impact remote staff access and require VPN infrastructure, while WAF rules risk false positives that could disrupt patron self-service functions and require tuning. Consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240 for additional Turkish-language remediation guidance specific to national infrastructure deployments.

Share

EUVD-2025-209843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy