CVE-2025-50869 is a stored Cross-Site Scripting (XSS) vulnerability identified in the qureydetails.php page of the Institute-of-Current-Students 1.0 web application. This vulnerability arises because the input fields for 'Query' and 'Answer' do not properly sanitize user-supplied input, allowing authenticated users to inject arbitrary JavaScript code. Stored XSS vulnerabilities occur when malicious scripts submitted by an attacker are permanently stored on the target server (e.g., in a database) and later executed in the browsers of users who access the affected page. In this case, since the injection point is within a page that likely displays query and answer data, any user viewing this page could have malicious scripts executed in their browser context. The vulnerability requires authentication, meaning only users with valid credentials can exploit it to inject malicious payloads. However, once injected, the malicious script can affect any user who views the compromised content, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. The lack of proper input sanitization indicates a failure in input validation and output encoding mechanisms, which are critical defenses against XSS. No patch or fix information is currently available, and no known exploits have been reported in the wild. The CVSS score has not been assigned yet, and the affected versions are unspecified beyond version 1.0. Given the nature of stored XSS and its potential to impact multiple users, this vulnerability represents a significant security risk to the affected application and its user base.

For European organizations using the Institute-of-Current-Students 1.0 application, this vulnerability could lead to serious security incidents. Stored XSS can be leveraged to steal sensitive user information, including authentication tokens and personal data, which may violate GDPR and other data protection regulations, leading to legal and financial repercussions. Additionally, attackers could perform actions on behalf of legitimate users, potentially compromising the integrity of student records or other critical data. The reputational damage from a successful attack could be substantial, especially for educational institutions that rely on trust and data confidentiality. Furthermore, if the application is integrated with other internal systems or portals, the XSS vulnerability could serve as an entry point for broader attacks within the organizational network. The requirement for authentication to exploit the vulnerability somewhat limits the attack surface but does not eliminate risk, as insider threats or compromised user accounts could be used to inject malicious scripts. Given the lack of known exploits, the immediate risk might be moderate, but the vulnerability should be treated with urgency due to the potential for widespread impact once exploited.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the qureydetails.php page, specifically for the 'Query' and 'Answer' fields. Employing a whitelist approach for allowed characters and escaping or encoding user input before rendering it in the browser can prevent script execution. Utilizing security libraries or frameworks that automatically handle XSS protection is recommended. Additionally, implementing Content Security Policy (CSP) headers can reduce the impact of any injected scripts by restricting the sources from which scripts can be loaded or executed. Organizations should also enforce strong authentication and monitor user activities to detect any anomalous behavior indicative of exploitation attempts. Since no official patch is currently available, organizations should consider temporarily restricting access to the vulnerable functionality or applying web application firewall (WAF) rules to detect and block malicious payloads targeting these input fields. Regular security assessments and code reviews should be conducted to identify and remediate similar vulnerabilities proactively.