PatchSiren cyber security CVE debrief
CVE-2021-45478 Yordam CVE debrief
CVE-2021-45478 documents an improper handling of parameters vulnerability in Yordam Library Automation System versions prior to 19.2. The vulnerability allows an attacker with low privileges to collect data as provided by users. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network-accessible attack vector with low attack complexity, requiring low privileges and no user interaction, resulting in high confidentiality impact. The vulnerability was published in the CVE database on March 2, 2023, though it affects a 2021-era software version. The Turkish National Cyber Security Incident Response Center (USOM) issued advisory TR-23-0119 regarding this vulnerability. Organizations using affected versions should upgrade to version 19.2 or later.
- Vendor
- Yordam
- Product
- Library Automation System
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-03-02
- Original CVE updated
- 2026-05-18
- Advisory published
- 2023-03-02
- Advisory updated
- 2026-05-18
Who should care
Organizations operating Yordam Library Automation System versions prior to 19.2, particularly academic and public libraries using this Turkish-developed library management platform. System administrators and security teams responsible for library IT infrastructure should prioritize patching.
Technical summary
The vulnerability stems from improper handling of parameters in the Yordam Library Automation System, enabling authenticated attackers with low privileges to collect user-provided data. The network-accessible nature of the vulnerability combined with low attack complexity and no required user interaction increases exposure risk. The confidentiality-only impact (no integrity or availability effects) suggests targeted data exfiltration rather than system compromise.
Defensive priority
medium
Recommended defensive actions
- Upgrade Yordam Library Automation System to version 19.2 or later
- Review access controls for library automation system interfaces
- Monitor for unauthorized data access attempts in system logs
- Apply principle of least privilege for system accounts
- Verify patch deployment through version checking
Evidence notes
Vendor identification as 'Yordam' (not 'Bordam' as appears in some source descriptions) is supported by CPE criteria cpe:2.3:a:yordam:library_automation_system:*:*:*:*:*:*:*:*. The vulnerability affects versions before 19.2. CWE classification shows discrepancy between sources: USOM lists CWE-233 (Improper Handling of Parameters), while NVD records NVD-CWE-Other.
Official resources
-
CVE-2021-45478 CVE record
CVE.org
-
CVE-2021-45478 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
The vulnerability was disclosed via official channels with a USOM advisory (TR-23-0119) providing third-party guidance. No known exploitation in ransomware campaigns has been documented.