CVE-2025-3961 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the withstars Books-Management-System, specifically within the /admin/article/add/do endpoint. The vulnerability arises from improper sanitization or validation of the 'Title' parameter, which can be manipulated by an attacker to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser when they access a crafted URL or submit malicious input. The vulnerability is classified as 'problematic' and has a CVSS 4.0 base score of 5.1, indicating a medium severity level. Notably, the product is no longer supported by the maintainer, meaning no official patches or updates are available to remediate this issue. The vulnerability requires low privileges (PR:L) and user interaction (UI:P), meaning an attacker must trick an authenticated user with limited privileges to interact with the malicious content. The attack vector is network-based (AV:N), and the vulnerability impacts the integrity and availability of the system to a limited extent, with no impact on confidentiality. Other parameters besides 'Title' might also be vulnerable, suggesting a broader input validation problem. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation, especially in environments where the vulnerable system remains deployed without mitigation.

For European organizations using withstars Books-Management-System version 1.0, this vulnerability poses a risk primarily to administrative users who have access to the /admin/article/add/do functionality. Successful exploitation could lead to session hijacking, defacement of administrative interfaces, or redirection to malicious sites, potentially resulting in unauthorized actions or data manipulation within the system. Since the product is no longer supported, organizations cannot rely on vendor patches, increasing the risk exposure. The impact on confidentiality is limited, but integrity and availability could be compromised if attackers leverage the XSS to perform further attacks such as privilege escalation or injecting malicious payloads. In sectors such as education, publishing, or libraries where this system might be used, disruption or compromise could affect operational continuity and trust. Additionally, because the vulnerability requires user interaction and low privileges, social engineering or phishing campaigns targeting administrative staff could amplify the risk. The lack of active exploitation in the wild currently reduces immediate threat levels, but the public availability of exploit details necessitates proactive measures.

Given the absence of official patches due to discontinued support, European organizations should consider the following specific mitigations: 1) Immediately restrict access to the /admin/article/add/do endpoint to trusted IP addresses or VPN-only access to reduce exposure. 2) Implement web application firewall (WAF) rules tailored to detect and block malicious input patterns targeting the 'Title' parameter and other potentially vulnerable inputs. 3) Conduct thorough input validation and sanitization at the application or proxy level, possibly by deploying reverse proxies that can filter or sanitize inputs before reaching the backend. 4) Educate administrative users about the risks of interacting with suspicious links or inputs, emphasizing the need to avoid clicking untrusted URLs. 5) Consider migrating to alternative supported book management systems or upgrading to a maintained version if available. 6) Monitor logs for unusual activity around the vulnerable endpoint, including repeated attempts to inject scripts or anomalous user behavior. 7) If feasible, isolate the vulnerable system within segmented network zones to limit lateral movement in case of compromise. These measures go beyond generic advice by focusing on compensating controls and operational practices tailored to an unsupported product with a known XSS vulnerability.