CVE-2025-10914
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in Proliz Software's OBS Student Affairs Information System. Attackers can inject malicious scripts into web pages that execute in victims' browsers when they visit specially crafted URLs. All users of affected OBS versions are potentially at risk.
💻 Affected Systems
- Proliz Software Ltd. Co. OBS (Student Affairs Information System)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, hijack user accounts, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially compromising sensitive student data.
Likely Case
Attackers craft phishing emails with malicious links that, when clicked by authenticated users, execute scripts to steal session tokens or credentials.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link) but is straightforward to exploit once the vulnerable parameter is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V26.0401 or later
Vendor Advisory: https://www.usom.gov.tr/bildirim/tr-25-0357
Restart Required: Yes
Instructions:
1. Download the latest version (V26.0401 or newer) from Proliz Software. 2. Backup current installation and data. 3. Install the update following vendor instructions. 4. Restart the application server.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to filter malicious input before it reaches the application.
Input Validation Filter
allImplement server-side input validation to sanitize user-supplied parameters before processing.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Deploy network segmentation to limit access to the OBS system only to authorized users
🔍 How to Verify
Check if Vulnerable:
Test by injecting basic XSS payloads (e.g., <script>alert('XSS')</script>) into URL parameters and observing if they execute in the browser.Check Version:
Check the application version in the web interface footer or admin panel, or consult system documentation.Verify Fix Applied:
After patching, retest with the same XSS payloads to confirm they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual long parameter values in web logs
- Requests containing script tags or JavaScript code in URL parameters
- Multiple failed login attempts from single IPs
Network Indicators:
- HTTP requests with suspicious parameters containing script elements
- Outbound connections to unknown domains following OBS access
SIEM Query:
source="web_server_logs" AND (url="*<script>*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")