CVE-2025-41107 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting QDOCS Smart School version 7.0. The vulnerability stems from insufficient sanitization and validation of user-supplied input parameters such as 'firstname', 'lastname', and 'guardian_name' submitted via POST requests to the '/online_admission' endpoint. Because the input is stored and later rendered in web pages without proper neutralization, an attacker can inject malicious JavaScript code that executes in the context of authenticated users viewing the affected pages. This can lead to session cookie theft, enabling attackers to hijack user sessions and potentially escalate privileges or access sensitive data. The vulnerability requires the attacker to be able to send crafted POST requests and relies on user interaction to trigger the payload, as the malicious script executes when the victim loads the infected page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:P), and limited scope and impact on confidentiality, integrity, and availability. No known public exploits exist yet, but the vulnerability poses a moderate risk, especially in environments where Smart School is used for managing sensitive educational data and user accounts. The lack of a patch at the time of reporting necessitates immediate mitigation through input validation and output encoding best practices.

For European organizations, particularly educational institutions using QDOCS Smart School 7.0, this vulnerability could lead to unauthorized access to user accounts through session hijacking. The theft of session cookies can compromise the confidentiality and integrity of student and staff data, including personal information and academic records. This could result in data breaches, reputational damage, and potential regulatory penalties under GDPR due to exposure of personal data. Additionally, attackers could leverage compromised accounts to escalate privileges or disrupt school operations, impacting availability. The medium severity reflects that while exploitation requires some user interaction and low privileges, the widespread use of Smart School in Europe’s education sector increases the potential impact. Organizations with large user bases or sensitive data are at higher risk.

European organizations should implement strict input validation on all user-supplied data fields, especially those involved in the '/online_admission' endpoint. Employ context-aware output encoding (e.g., HTML entity encoding) before rendering user inputs in web pages to prevent script execution. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor web application logs for suspicious POST requests targeting vulnerable parameters. Educate users about phishing and suspicious links to reduce the risk of triggering malicious payloads. Since no official patch is currently available, consider temporary workarounds such as disabling or restricting access to the online admission feature until a fix is released. Engage with the vendor QDOCS for timely updates and patches. Conduct regular security assessments and penetration testing focused on XSS vulnerabilities. Implement multi-factor authentication to reduce the impact of session hijacking.