CVE-2025-13245 is a cross-site scripting (XSS) vulnerability identified in the code-projects Student Information System version 2.0, specifically within the /editprofile.php script. The vulnerability arises from insufficient sanitization of user-supplied input, allowing attackers to inject malicious JavaScript code that executes in the context of the victim’s browser. This flaw can be exploited remotely without authentication, although user interaction is required to trigger the malicious payload, such as by visiting a crafted URL or clicking a malicious link. The vulnerability primarily impacts the confidentiality and integrity of user sessions by enabling theft of session cookies, defacement of web pages, or execution of unauthorized actions on behalf of the victim. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and user interaction needed (UI:P), resulting in a medium severity score of 5.1. While no active exploits have been reported in the wild, proof-of-concept code is publicly available, increasing the risk of exploitation. The lack of vendor patches at this time necessitates immediate mitigation efforts by affected organizations. The vulnerability is particularly concerning for educational institutions managing sensitive student information, as exploitation could lead to unauthorized data disclosure or manipulation. The attack surface is limited to the affected version 2.0 of the Student Information System, which narrows the scope but still poses a significant risk where deployed.

For European organizations, especially educational institutions using the code-projects Student Information System 2.0, this vulnerability poses risks including unauthorized access to student data, session hijacking, and potential manipulation of user profiles. Such impacts can lead to breaches of personal data protected under GDPR, resulting in legal and financial consequences. The integrity of student records and profiles could be compromised, undermining trust in institutional IT systems. Additionally, successful exploitation might facilitate further attacks within the network if attackers leverage stolen credentials or session tokens. The medium severity rating reflects moderate impact potential, but the ease of remote exploitation without authentication increases urgency. Disruption to educational services and reputational damage are also possible, particularly if attackers deface portals or leak sensitive information. The vulnerability’s presence in a widely used student information system amplifies the potential scale of impact across multiple European countries.

Organizations should immediately audit their use of the code-projects Student Information System and identify any deployments of version 2.0. Until an official patch is released, implement strict input validation and output encoding on all user inputs, especially those handled by /editprofile.php, to neutralize malicious scripts. Deploy web application firewalls (WAFs) with rules specifically targeting XSS attack patterns to provide an additional layer of defense. Educate users about the risks of clicking suspicious links and encourage cautious behavior to reduce successful exploitation via social engineering. Monitor web server logs and application behavior for signs of attempted XSS attacks or unusual activity. Coordinate with the vendor to obtain timely patches and apply them as soon as they become available. Consider isolating or restricting access to the vulnerable system to trusted networks only, reducing exposure to external attackers. Regularly review and update security policies related to web application security and incident response.