Description
Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploitation of Trusted Identifiers.

This issue affects Library Automation System: from v.21.6 before v.22.1.
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR (Insecure Direct Object Reference) that allows an attacker to supply a user-controlled key to bypass the system’s authorization checks. By manipulating the identifier, an unauthorized individual can access or modify data that should be restricted, potentially exposing sensitive borrower information or altering inventory records. The impact includes loss of data confidentiality and integrity, and a partial break of segregation of duties.

Affected Systems

The affected product is Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.’s Library Automation System. Vulnerable releases span from version 21.6 through any release prior to 22.1.

Risk and Exploitability

The CVSS score of 8.8 places this issue in the high severity range. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the system’s web interface, where an attacker can supply the vulnerable identifier parameter. Successful exploitation requires an authenticated session, but the IDOR nature means anyone who can interact with the web UI may manipulate the key to gain access to data they are not authorized to view.

Generated by OpenCVE AI on May 14, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to version 22.1 or later, which contains the patched authorization checks.
  • Restrict access to the API endpoints that accept user-controlled identifiers, ensuring only privileged users can invoke them.
  • Implement server‑side validation that confirms the requesting user is the owner of the requested resource before returning data.
  • Monitor audit logs for anomalous identifier access attempts and enforce rate limiting on those endpoints.

Generated by OpenCVE AI on May 14, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Yordam
Yordam library Automation System
Vendors & Products Yordam
Yordam library Automation System

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploitation of Trusted Identifiers. This issue affects Library Automation System: from v.21.6 before v.22.1.
Title IDOR in Yordam Informatics' Library Automation System
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Yordam Library Automation System
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-14T13:44:16.034Z

Reserved: 2025-12-22T08:06:59.161Z

Link: CVE-2025-15025

cve-icon Vulnrichment

Updated: 2026-05-14T13:44:12.962Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T14:16:15.640

Modified: 2026-05-14T16:20:13.477

Link: CVE-2025-15025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:09:17Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key