CVE-2025-46173 is a Cross Site Scripting (XSS) vulnerability identified in the code-projects Online Exam Mastering System version 1.0. The vulnerability arises from insufficient input validation or output encoding of the 'name' field within the feedback form. An attacker can inject malicious scripts into this field, which, when rendered in a victim's browser, can execute arbitrary JavaScript code. This type of vulnerability is classified under CWE-79. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reveals that the attack can be performed remotely over the network without any privileges and requires user interaction (the victim must open or interact with the malicious input). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, potentially impacting confidentiality and integrity but not availability. The impact on confidentiality and integrity is low, as the attacker can steal or manipulate data accessible to the victim's session but cannot directly compromise system availability or escalate privileges. No known exploits are reported in the wild, and no patches or vendor information are currently available. This vulnerability could be leveraged for session hijacking, defacement, or phishing attacks within the context of the Online Exam Mastering System's feedback mechanism.

For European organizations using the code-projects Online Exam Mastering System 1.0, this XSS vulnerability poses risks primarily related to user data confidentiality and integrity. Attackers could exploit this flaw to execute malicious scripts in the browsers of users submitting or viewing feedback, potentially stealing session cookies, redirecting users to malicious sites, or manipulating displayed content. This could lead to unauthorized access to user accounts, leakage of sensitive exam-related information, or reputational damage. Educational institutions and certification bodies relying on this system may face disruption in trust and compliance challenges, especially under GDPR regulations concerning personal data protection. Although the vulnerability does not directly impact system availability, the indirect effects of phishing or social engineering attacks could have operational consequences. The requirement for user interaction limits the attack vector to scenarios where users engage with the feedback form or related content, but given the nature of online exam platforms, users are likely to interact frequently, increasing exposure.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'name' field of the feedback form to neutralize any embedded scripts. Employing a Content Security Policy (CSP) can help restrict the execution of unauthorized scripts in the browser. Additionally, sanitizing user inputs on both client and server sides using well-established libraries designed to prevent XSS is critical. Since no official patches are currently available, organizations should consider temporarily disabling or restricting the feedback form functionality until a fix is released. Monitoring web application logs for suspicious input patterns and educating users about the risks of interacting with untrusted content can further reduce risk. Implementing multi-factor authentication (MFA) for user accounts can limit the impact of session hijacking attempts. Finally, organizations should maintain up-to-date web application firewalls (WAFs) configured to detect and block common XSS attack payloads targeting this system.