CVE-2025-13784 identifies a cross-site scripting vulnerability in the yungifez Skuul School Management System, specifically affecting versions 2.6.0 through 2.6.5. The vulnerability resides in the SVG File Handler component within the /dashboard/schools/1/edit endpoint, where insufficient input sanitization allows attackers to inject malicious JavaScript code. This flaw is exploitable remotely without authentication, but requires user interaction, such as an authenticated user clicking a crafted link or visiting a malicious page. The vulnerability enables attackers to execute arbitrary scripts in the context of the victim’s browser session, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. The vendor has not issued a patch or responded to disclosure efforts, and public exploit code is available, increasing the risk of exploitation. The CVSS 4.8 score reflects medium severity, considering the lack of authentication requirement but the need for user interaction and limited impact on confidentiality and integrity. The vulnerability does not affect system availability or require elevated privileges, but the ability to execute scripts in an authenticated session poses a significant risk to user data and application trustworthiness. The absence of official remediation necessitates that organizations implement compensating controls and monitor for exploitation attempts.

For European organizations, particularly educational institutions using the yungifez Skuul School Management System, this vulnerability poses a risk of unauthorized script execution within user sessions. Attackers could leverage this to steal session cookies, impersonate users, or perform unauthorized actions such as modifying school data or accessing sensitive student information. The impact on confidentiality is moderate due to potential data exposure, while integrity could be compromised if attackers manipulate application data. Availability is not directly affected. The presence of public exploit code increases the likelihood of targeted attacks, especially in environments where the system is widely deployed. Given the lack of vendor response and patches, organizations face prolonged exposure. This could lead to reputational damage, regulatory non-compliance under GDPR if personal data is compromised, and operational disruptions in school management activities. The threat is amplified in countries with significant deployments of this software or where attackers have strategic interest in educational data.

1. Immediately implement strict input validation and output encoding on the /dashboard/schools/1/edit endpoint, focusing on sanitizing SVG file inputs and any user-supplied data to prevent script injection. 2. Deploy or update Web Application Firewalls (WAFs) with rules specifically targeting XSS attack patterns, including those exploiting SVG content. 3. Conduct thorough code reviews and penetration testing to identify and remediate similar injection points within the application. 4. Educate users and administrators about the risks of clicking untrusted links and encourage the use of security-aware browsing practices. 5. Monitor application logs and network traffic for signs of exploitation attempts, such as unusual requests to the vulnerable endpoint or anomalous user behavior. 6. If feasible, isolate the affected system from public internet access or restrict access to trusted IP ranges until a patch or official fix is available. 7. Engage with the vendor or community to advocate for an official patch or consider migrating to alternative, actively maintained school management systems. 8. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context.