Key Information Vulnerability Overview CVE-ID: CVE-2025-2812 USOM Announcement: tr-25-0099 Vulnerability Type: CVE-89 - SQL Injection (Boolean-based Blind) Affected System: Bilet Satış Otomasyonu by Mydata Bilişim Ltd. Şti Original URL: https://otobusfirmasi.com.tr/otobus-bileti/SifremiUnuttum.php Vulnerability Description A Boolean-based Blind SQL Injection vulnerability was detected in the "Adınızın ilk harfi" parameter on the SifremiUnuttum.php page within the "Bilet Satış Otomasyonu" system. Attackers can exploit this vulnerability to retrieve users' names. Impact Scope This vulnerability affects the systems of the following 20 bus companies: Balıkesir Uludağ Kontur Efe Tur Kale Seyahat And 16 other companies PoC (Proof of Concept) HTTP Request: Used Payload: Technical Details Vulnerable Parameter: ilkHarf Method: Boolean-based Blind SQLi Vulnerability Type: Improper neutralization of special elements in SQL commands (SQL Injection) Acknowledgments We thank Mydata Bilişim Ltd. Şti for their support and cooperation in identifying and resolving the vulnerability.