CVE-2025-10467 is a high-severity vulnerability classified under CWE-79, which pertains to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This specific vulnerability affects the OBS (Student Affairs Information System) developed by PROLIZ Computer Software Hardware Service Trade Ltd. Co., impacting versions prior to v25.0401. The vulnerability is a Stored XSS flaw, meaning that malicious scripts injected by an attacker are permanently stored on the target system (e.g., in a database) and subsequently served to users when they access affected pages. This type of XSS is particularly dangerous because it can affect multiple users without requiring repeated exploitation. The CVSS v3.1 score of 8.9 reflects a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. The impact on confidentiality and integrity is high (C:H/I:H), with a low impact on availability (A:L). Exploiting this vulnerability could allow attackers to execute arbitrary scripts in the context of the victim’s browser, leading to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. Although no known exploits are currently reported in the wild, the vulnerability’s characteristics and high CVSS score suggest it is a critical risk if left unpatched. The lack of available patches at the time of publication increases the urgency for affected organizations to implement interim mitigations.

For European organizations, particularly educational institutions and administrative bodies using the OBS Student Affairs Information System, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to sensitive student data, including personal identification information, academic records, and possibly financial details. The compromise of user sessions could allow attackers to impersonate staff or students, manipulate records, or escalate privileges within the system. This could result in data breaches violating GDPR requirements, leading to regulatory penalties and reputational damage. Additionally, the Stored XSS nature means that multiple users could be impacted from a single successful injection, amplifying the potential damage. The vulnerability could also be leveraged as a foothold for further attacks within the network, threatening broader organizational IT infrastructure. The requirement for some level of privilege and user interaction somewhat limits the ease of exploitation but does not eliminate the risk, especially in environments where users may be tricked into clicking malicious links or interacting with compromised content.

Given the absence of an official patch at the time of disclosure, European organizations should implement several specific mitigations: 1) Conduct a thorough input validation and output encoding review within the OBS system, focusing on all user-supplied data that is rendered in web pages. Employ context-aware encoding to neutralize scripts. 2) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the system. 3) Enforce strict user privilege management to minimize the number of users with the ability to input data that is rendered to others. 4) Educate users on the risks of interacting with suspicious links or content within the system to reduce the likelihood of successful exploitation requiring user interaction. 5) Monitor logs and user activity for unusual behavior indicative of XSS exploitation attempts. 6) Where feasible, isolate the OBS system within a segmented network zone to limit lateral movement if compromised. 7) Engage with the vendor for timely updates and patches, and plan for rapid deployment once available. 8) Consider deploying web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting the OBS system.