The vulnerability identified as CVE-2025-13244 affects the code-projects Student Information System version 2.0. It is a Cross Site Scripting (XSS) flaw located in an unspecified function within the /register.php file. This vulnerability allows an attacker to inject malicious scripts remotely without requiring any authentication, exploiting insufficient input validation or output encoding in the registration process. The attack vector is network-based with low attack complexity and no privileges required, but it requires user interaction to trigger the malicious payload. The impact primarily affects the integrity of user sessions and potentially confidentiality if session cookies or sensitive data are exposed through the injected scripts. The CVSS 4.0 base score of 5.3 reflects a medium severity rating, indicating moderate risk. No patches have been published yet, and while the exploit code has been publicly disclosed, no active exploitation has been observed. This vulnerability could be leveraged for phishing, session hijacking, or defacement attacks targeting users of the Student Information System, which is commonly deployed in educational environments to manage student data and registration processes.

For European organizations, particularly educational institutions using the code-projects Student Information System, this vulnerability poses a moderate risk. Successful exploitation could lead to session hijacking, allowing attackers to impersonate legitimate users, potentially gaining unauthorized access to sensitive student information. It could also facilitate phishing attacks by injecting malicious scripts that redirect users to fraudulent sites or steal credentials. Although the vulnerability does not directly compromise system availability or allow privilege escalation, the exposure of personal data could lead to regulatory non-compliance under GDPR, resulting in legal and financial repercussions. The need for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users may be less security-aware. The absence of a patch increases the window of exposure, necessitating immediate mitigation efforts. Overall, the impact is significant due to the sensitivity of educational data and the potential for reputational damage to affected institutions.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data in the /register.php functionality to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct security awareness training for users to recognize and avoid phishing attempts that may leverage this vulnerability. Monitor web server logs and application behavior for unusual requests or signs of attempted XSS exploitation. If possible, isolate the Student Information System behind a web application firewall (WAF) configured to detect and block XSS payloads. Since no official patch is available, consider temporarily disabling or restricting the vulnerable registration feature or requiring additional verification steps during registration. Regularly check for vendor updates or patches and apply them promptly once released. Additionally, implement multi-factor authentication (MFA) for user accounts to reduce the impact of session hijacking.