Description
Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploitation of Trusted Identifiers.

This issue affects Library Automation System: from v.21.6 before v.22.1.
Published: 2026-05-14
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR (Insecure Direct Object Reference) that allows an attacker to supply a user-controlled key to bypass the system’s authorization checks. By manipulating the identifier, an unauthorized individual can access or modify data that should be restricted, potentially exposing sensitive borrower information or altering inventory records. The impact includes loss of data confidentiality and integrity, and a partial break of segregation of duties.

Affected Systems

The affected product is Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.’s Library Automation System. Vulnerable releases span from version 21.6 through any release prior to 22.1.

Risk and Exploitability

The CVSS score of 8.8 places this issue in the high severity range. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the system’s web interface, where an attacker can supply the vulnerable identifier parameter. Successful exploitation requires an authenticated session, but the IDOR nature means anyone who can interact with the web UI may manipulate the key to gain access to data they are not authorized to view.

Generated by OpenCVE AI on May 14, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to version 22.1 or later, which contains the patched authorization checks.
  • Restrict access to the API endpoints that accept user-controlled identifiers, ensuring only privileged users can invoke them.
  • Implement server‑side validation that confirms the requesting user is the owner of the requested resource before returning data.
  • Monitor audit logs for anomalous identifier access attempts and enforce rate limiting on those endpoints.

Generated by OpenCVE AI on May 14, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploitation of Trusted Identifiers. This issue affects Library Automation System: from v.21.6 before v.22.1.
Title IDOR in Yordam Informatics' Library Automation System
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-14T13:44:16.034Z

Reserved: 2025-12-22T08:06:59.161Z

Link: CVE-2025-15025

cve-icon Vulnrichment

Updated: 2026-05-14T13:44:12.962Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T14:16:15.640

Modified: 2026-05-14T16:20:13.477

Link: CVE-2025-15025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses