Access Control System Gks
Monthly
Information disclosure in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows remote unauthenticated attackers to collect sensitive data from common resource locations due to a missing authorization check. Because the affected endpoints do not verify that a requester is entitled to the data they return, an attacker who can reach the system over the network can harvest information without credentials. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the CVSS 8.2 rating and CWE-862 root cause make it a meaningful exposure for any accessible deployment.
Reflected cross-site scripting in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows authenticated remote attackers to inject malicious scripts into web responses. The vulnerability (CWE-79) results from improper neutralization of user-supplied input during web page generation, with scope change (S:C) indicating execution context escapes to the victim's browser. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting in Armiya Information Technologies' Access Control System (GKS) versions before 2 allows an unauthenticated network attacker to persist malicious scripts in the application, which execute in the browser of any user who views the affected page. The scope change (S:C) in the CVSS vector indicates the injected payload breaks out of the application's security context and operates within the victim's browser environment, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the low-complexity, no-privilege attack vector makes this straightforward to weaponize against authenticated users of the access control panel.
Information disclosure in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows remote unauthenticated attackers to collect sensitive data from common resource locations due to a missing authorization check. Because the affected endpoints do not verify that a requester is entitled to the data they return, an attacker who can reach the system over the network can harvest information without credentials. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the CVSS 8.2 rating and CWE-862 root cause make it a meaningful exposure for any accessible deployment.
Reflected cross-site scripting in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows authenticated remote attackers to inject malicious scripts into web responses. The vulnerability (CWE-79) results from improper neutralization of user-supplied input during web page generation, with scope change (S:C) indicating execution context escapes to the victim's browser. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting in Armiya Information Technologies' Access Control System (GKS) versions before 2 allows an unauthenticated network attacker to persist malicious scripts in the application, which execute in the browser of any user who views the affected page. The scope change (S:C) in the CVSS vector indicates the injected payload breaks out of the application's security context and operates within the victim's browser environment, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the low-complexity, no-privilege attack vector makes this straightforward to weaponize against authenticated users of the access control panel.