CVE-2025-28121 is a Cross Site Scripting (XSS) vulnerability identified in the code-projects Online Exam Mastering System version 1.0. The vulnerability exists in the feedback.php component, specifically via the "q" parameter. This parameter does not properly sanitize user-supplied input, allowing remote attackers to inject malicious scripts. When a victim accesses a crafted URL containing the malicious payload in the "q" parameter, the injected script executes in the context of the victim's browser. This can lead to unauthorized actions such as session hijacking, credential theft, or redirection to malicious sites. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. According to the CVSS 3.1 vector, the attack vector is network-based (AV:N), requiring low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability (A:N). No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved on March 11, 2025, and published on April 21, 2025. The Online Exam Mastering System is a web-based platform used for managing and conducting online examinations, which may handle sensitive student data and exam content.

For European organizations, especially educational institutions and certification bodies using the affected Online Exam Mastering System, this vulnerability poses a risk to the confidentiality and integrity of user data. Attackers exploiting this XSS flaw could steal session cookies or credentials of students, instructors, or administrators, potentially leading to unauthorized access to exam results or manipulation of exam content. This undermines the trustworthiness of online assessments and could have regulatory implications under GDPR if personal data is compromised. Although the availability of the system is not directly impacted, the reputational damage and potential data breaches could be significant. The requirement for user interaction means phishing or social engineering campaigns could be used to lure victims into clicking malicious links. Since the scope is changed, the attack could affect other components or users beyond the immediate vulnerable parameter, increasing the potential reach of the attack. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

1. Immediate implementation of input validation and output encoding on the "q" parameter in feedback.php to neutralize malicious scripts. Use context-aware encoding (e.g., HTML entity encoding) to prevent script execution. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. 3. Educate users, especially students and staff, about the risks of clicking on suspicious links and encourage verification of URLs before interaction. 4. Monitor web server logs for unusual query parameter values or repeated attempts to exploit the "q" parameter. 5. If possible, isolate the Online Exam Mastering System in a segmented network environment to limit lateral movement in case of compromise. 6. Develop and deploy patches or updates as soon as they become available from the vendor or community. 7. Implement multi-factor authentication (MFA) for administrative access to reduce the impact of stolen credentials. 8. Conduct regular security assessments and penetration testing focusing on web application vulnerabilities, including XSS. 9. Review and sanitize all user-generated content displayed on the platform to prevent similar vulnerabilities elsewhere. 10. Backup critical data regularly to ensure recovery in case of any compromise.