Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploitation of Trusted Identifiers.
This issue affects Library Automation System: from v.21.6 before v.22.1.
AnalysisAI
Authentication bypass in Yordam Library Automation System versions 21.6 through 22.0 enables remote attackers to impersonate legitimate users and gain unauthorized administrative access by manipulating user identifiers in requests. Attackers who successfully exploit this vulnerability can achieve full system compromise including reading sensitive library records, modifying catalog data, and disrupting availability. The vulnerability requires user interaction (likely social engineering or malicious link), but no authentication, making it accessible to external threat actors. TR-CERT has published an advisory confirming the issue affects Turkish government and educational institutions using this library management platform.
Technical ContextAI
This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a flaw where the application uses client-controlled data to determine authorization decisions without proper validation. In library automation systems, this typically manifests when session tokens, user IDs, or role identifiers in HTTP parameters, cookies, or headers can be modified by attackers to assume another user's identity. The CVSS vector indicates network-based exploitation with low complexity, suggesting the vulnerable parameter is easily identified and manipulated through standard web traffic. Yordam Library Automation System is a comprehensive integrated library system (ILS) used primarily in Turkish institutions for cataloging, circulation, acquisitions, and patron management. The affected CPE identifies this as a specific product from Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc., affecting all versions in the 21.6 branch prior to the 22.1 release.
RemediationAI
Upgrade Yordam Library Automation System to version 22.1 or later, which contains vendor-confirmed fixes for the authorization bypass vulnerability. Organizations should obtain the patched version directly from Yordam Information Technology or through their authorized support channels, referencing TR-CERT advisory TR-26-0240. During the upgrade window, implement compensating controls: restrict network access to the library system's administrative interfaces using IP allowlisting to limit exposure to trusted networks only, deploy web application firewall (WAF) rules to detect and block requests with manipulated user identifier parameters (coordinate with Yordam support to identify vulnerable parameters without breaking legitimate functionality), enable comprehensive audit logging for all authentication and authorization events to detect exploitation attempts, and conduct user awareness training focused on recognizing phishing attacks that could deliver malicious links exploiting this vulnerability. Note that network restrictions may impact remote staff access and require VPN infrastructure, while WAF rules risk false positives that could disrupt patron self-service functions and require tuning. Consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240 for additional Turkish-language remediation guidance specific to national infrastructure deployments.
More in Library Automation System
View allImproper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collec
Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collec
University Library Automation System developed by Yordam Bilgi Teknolojileri before version 19.2 has an unauthenticated
Improper Neutralization of Input During Web Page Generation vulnerability in Yordam Information Technologies Library Aut
Yordam Library Information Document Automation product before version 19.02 has an unauthenticated Information disclosur
Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnera
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209843
GHSA-hjg6-2c9h-3rgp