PatchSiren cyber security CVE debrief
CVE-2022-2266 Yordam Bilgi Teknolojileri CVE debrief
CVE-2022-2266 is a reflected cross-site scripting (XSS) vulnerability in the University Library Automation System developed by Yordam Bilgi Teknolojileri. The vulnerability exists in versions prior to 19.2 and allows unauthenticated attackers to inject malicious scripts that execute in the context of a victim's browser session. The issue was publicly disclosed on September 22, 2022, and has been remediated in version 19.2. The vulnerability carries a CVSS 3.1 score of 6.1 (Medium severity), reflecting network accessibility, low attack complexity, no privilege requirements, and user interaction dependency. The attack vector requires user interaction and can impact confidentiality and integrity with low severity, though availability is not affected. The scope is changed, indicating the vulnerable component impacts resources beyond its security scope.
- Vendor
- Yordam Bilgi Teknolojileri
- Product
- Unknown
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2022-09-22
- Original CVE updated
- 2026-05-20
- Advisory published
- 2022-09-22
- Advisory updated
- 2026-05-20
Who should care
Organizations operating Yordam Library Automation System versions prior to 19.2, particularly universities and academic libraries in Turkey where this system is commonly deployed. Security teams responsible for web application security in educational institutions. System administrators managing library automation infrastructure. Incident response teams tracking USOM advisories for regional threat landscape awareness.
Technical summary
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It is a reflected XSS issue, meaning malicious payloads are delivered through crafted URLs or requests and executed immediately in the victim's browser without persistent storage. The attack requires user interaction—typically tricking a user into clicking a malicious link. The unauthenticated nature of the vulnerability means no credentials are required to exploit it. The affected product is specifically the University Library Automation System (Kütüphane Otomasyon Sistemi) by Yordam Bilgi Teknolojileri, widely deployed in Turkish academic institutions. Version 19.2 contains the security fix. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low complexity, no privileges required, user interaction needed, changed scope, and low impact to confidentiality and integrity.
Defensive priority
medium
Recommended defensive actions
- Upgrade Yordam Library Automation System to version 19.2 or later to remediate the vulnerability
- Implement Content Security Policy (CSP) headers to mitigate XSS impact if immediate patching is not feasible
- Review and sanitize all user-controllable input parameters in library system interfaces
- Deploy web application firewall (WAF) rules to detect and block reflected XSS payloads
- Conduct security assessment of library system deployments to identify unpatched instances
- Monitor for suspicious requests containing script tags or encoded JavaScript payloads in library system access logs
Evidence notes
Vulnerability confirmed through official Turkish cybersecurity authority USOM (TR-22-0637) and NVD records. CPE criteria confirms affected product as Yordam Library Automation System with version boundary excluding 19.2. CVSS vector and CWE-79 classification sourced from NVD and USOM advisory.
Official resources
-
CVE-2022-2266 CVE record
CVE.org
-
CVE-2022-2266 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
public