PatchSiren cyber security CVE debrief

CVE-2021-45479 Yordam Information Technologies CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in Yordam Information Technologies Library Automation System versions prior to 19.2. The flaw stems from improper neutralization of input during web page generation (CWE-79), allowing authenticated attackers with low privileges to inject malicious scripts that execute in victims' browsers. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, and low impacts to confidentiality and integrity with no availability impact. The vulnerability was published to the CVE database on March 2, 2023, though it affects a 2021-dated issue. Turkish government cybersecurity resources (USOM and Siber Güvenlik) issued advisory TR-23-0119 documenting this vulnerability. No known exploitation in ransomware campaigns has been reported (non-KEV status).

Vendor: Yordam Information Technologies
Product: Library Automation System
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-03-02
Original CVE updated: 2026-05-18
Advisory published: 2023-03-02
Advisory updated: 2026-05-18

Who should care

Organizations operating Yordam Library Automation System instances, particularly academic and public libraries in Turkey and regions where this system is deployed. Security teams responsible for library management software, web application security assessors evaluating integrated library systems (ILS), and compliance officers addressing web application security standards in educational institutions.

Technical summary

The Yordam Library Automation System fails to properly sanitize user-supplied input before rendering it in web pages, resulting in a stored XSS vulnerability (CWE-79). Affected versions span all releases prior to 19.2. The attack requires low-privileged authenticated access and user interaction from an administrator or other privileged user viewing the injected content. Successful exploitation could allow session hijacking, privilege escalation, or defacement of library catalog interfaces. The vulnerability was disclosed through coordinated disclosure with Turkish national cybersecurity authorities.

Defensive priority

medium

Recommended defensive actions

Upgrade Yordam Library Automation System to version 19.2 or later to remediate the stored XSS vulnerability
Implement Content Security Policy (CSP) headers to mitigate impact of any residual XSS vectors
Review and sanitize all user-controllable input fields in library cataloging and patron management interfaces
Enable HTTP-only and Secure flags on session cookies to reduce session hijacking risk from potential XSS exploitation
Monitor for suspicious script injection patterns in library system logs, particularly in bibliographic record fields and user comment areas

Evidence notes

Official sources include NVD record and Turkish National Cyber Security Incident Response Team (USOM) advisory TR-23-0119. CPE criteria confirms affected versions: Library Automation System before 19.2. CVSS 5.4 (Medium) assigned by NVD. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as root cause.

Official resources

CVE-2021-45479 CVE record
CVE.org
CVE-2021-45479 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource

2023-03-02