CVE-2025-10914 identifies a reflected Cross-site Scripting (XSS) vulnerability in the OBS (Student Affairs Information System) developed by Proliz Software Ltd. Co. This vulnerability stems from improper neutralization of input during web page generation, categorized under CWE-79. Specifically, the system fails to adequately sanitize or encode user-supplied input before including it in dynamically generated web pages, enabling attackers to inject malicious JavaScript code. The vulnerability affects all versions prior to V26.0401. An attacker can craft a malicious URL containing executable script code that, when clicked by a user, causes the victim's browser to execute the injected script within the security context of the vulnerable web application. This can lead to theft of session cookies, user impersonation, or redirection to malicious sites. The CVSS v3.1 base score is 7.6, indicating a high severity level, with attack vector being network-based (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact on confidentiality is high due to potential data exposure, while integrity and availability impacts are low. No patches or exploits are currently publicly available, but the vulnerability is officially published and reserved as of late 2025. The vulnerability is particularly concerning for educational institutions relying on OBS for student affairs management, as it may expose sensitive student data and administrative credentials.

For European organizations, especially educational institutions using the OBS Student Affairs Information System, this vulnerability poses a significant risk to the confidentiality of sensitive student and administrative data. Successful exploitation can lead to session hijacking, unauthorized access to personal information, and potential further compromise of internal systems. The reflected XSS nature means attackers can target users via phishing or malicious links, increasing the attack surface. Given the critical role of student information systems in managing academic records, identity verification, and communications, exploitation could disrupt administrative operations and damage institutional reputation. Additionally, data privacy regulations such as GDPR impose strict requirements on protecting personal data, and breaches resulting from this vulnerability could lead to regulatory penalties and legal consequences. The limited impact on integrity and availability reduces the risk of data tampering or denial of service, but confidentiality breaches alone are serious in this context.

Organizations should prioritize upgrading the OBS Student Affairs Information System to version V26.0401 or later once patches are released by Proliz Software Ltd. Co. In the interim, implement strict input validation and output encoding on all user-supplied data to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct user awareness training to recognize and avoid phishing attempts involving suspicious URLs. Monitor web application logs for unusual request patterns indicative of attempted XSS exploitation. Utilize web application firewalls (WAFs) configured to detect and block reflected XSS payloads targeting the OBS system. Regularly audit and test the application for XSS vulnerabilities using automated scanning tools and manual penetration testing. Coordinate with vendors and cybersecurity teams to ensure timely vulnerability disclosure and patch management. Finally, review and update incident response plans to address potential XSS exploitation scenarios.