CVE-2025-7760 PUBLISHED

Reflected XSS in Ofisimo's Association Web Package Flora

Assigner: TR-CERT
Reserved: 17.07.2025 Published: 03.02.2026 Updated: 03.02.2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers.This issue affects Association Web Package Flora: from v3.0 through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
CVSS Score: 7.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Ofisimo Web-Based Software Technologies
Product	Association Web Package Flora
Versions	Default: affected affected from v3.0 to 03022026 (incl.)

Credits

Çetin BİNİCİ finder

References

https://www.usom.gov.tr/bildirim/tr-26-0015

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE

Impacts

CAPEC-86 XSS Through HTTP Headers