CVE-2025-10914 identifies a reflected Cross-site Scripting (XSS) vulnerability in the OBS Student Affairs Information System developed by Proliz Software Ltd. Co. The flaw stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79. This vulnerability allows attackers to craft malicious URLs or inputs that, when processed by the vulnerable OBS versions prior to V26.0401, cause arbitrary JavaScript code execution in the context of the victim's browser session. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), such as clicking a malicious link. The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component. The CVSS v3.1 base score is 7.6, indicating high severity, with high impact on confidentiality (C:H), low impact on integrity (I:L), and low impact on availability (A:L). While no public exploits are currently known, the vulnerability poses a significant risk to confidentiality by enabling session hijacking, credential theft, or unauthorized actions performed under the victim’s identity. The affected product is widely used in educational institutions for managing student affairs, making it a valuable target for attackers seeking to compromise sensitive student and staff data. The absence of a patch link suggests that a fix is either pending or not yet publicly released, emphasizing the need for interim mitigations.

For European organizations, particularly educational institutions using the OBS Student Affairs Information System, this vulnerability could lead to unauthorized disclosure of sensitive student and staff information, including personal data protected under GDPR. Attackers exploiting this XSS flaw can hijack user sessions, steal authentication tokens, or perform actions on behalf of legitimate users, potentially disrupting administrative processes. The impact extends beyond confidentiality to minor integrity and availability concerns, as injected scripts could manipulate displayed content or cause denial of service in the user interface. Given the critical role of student information systems in managing academic records, enrollment, and communications, exploitation could undermine trust and operational continuity. Additionally, the reputational damage and regulatory penalties associated with data breaches in the education sector could be significant. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger exploitation, increasing the attack surface. The lack of known exploits currently provides a window for proactive defense, but the high CVSS score underscores the urgency of addressing the vulnerability.

Organizations should prioritize upgrading OBS Student Affairs Information System to version V26.0401 or later once the patch is released by Proliz Software Ltd. Co. Until a patch is available, implement strict input validation and output encoding on all user-supplied data to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Educate users and staff to recognize and avoid suspicious links or emails that could trigger reflected XSS attacks. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the OBS system. Conduct regular security assessments and penetration testing focused on input handling in the affected application. Monitor logs for unusual activity indicative of attempted exploitation. Coordinate with software vendors and cybersecurity authorities for timely updates and advisories. Finally, ensure incident response plans include procedures for handling XSS exploitation scenarios in educational environments.