CVE-2025-51411 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Institute-of-Current-Students web application version 1.0. The vulnerability exists in the /postquerypublic endpoint, specifically via the email parameter. The application fails to properly sanitize or encode user-supplied input before reflecting it back in the HTML response. This improper input handling allows an unauthenticated attacker to craft a malicious URL or form submission that injects arbitrary JavaScript code into the victim's browser context. When a victim clicks on the crafted link or submits the malicious form, the injected script executes with the same privileges as the legitimate website, potentially leading to session hijacking, theft of credentials, or other client-side attacks such as redirecting users to phishing sites or installing malware. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network without privileges but requires user interaction (clicking the malicious link). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, and the impact is limited to confidentiality and integrity with no impact on availability. No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability highlights a common web application security flaw that can be exploited to compromise user trust and data confidentiality.

For European organizations using the Institute-of-Current-Students application, this vulnerability poses a significant risk to user data confidentiality and integrity. Attackers can exploit this flaw to hijack user sessions, steal login credentials, or perform actions on behalf of users, potentially leading to unauthorized access to sensitive student information or internal systems. Educational institutions and related administrative bodies are likely targets, and exploitation could result in data breaches, reputational damage, and regulatory non-compliance under GDPR due to exposure of personal data. The reflected XSS nature means attacks rely on social engineering to trick users into clicking malicious links, which can be distributed via email or other communication channels. This increases the risk of phishing campaigns leveraging this vulnerability. Additionally, the scope change in the CVSS vector indicates that the impact could extend beyond the vulnerable component, possibly affecting other integrated systems or services. While availability is not impacted, the compromise of confidentiality and integrity can disrupt normal operations and erode trust in the affected platforms.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the email parameter in the /postquerypublic endpoint. Specifically, all user-supplied input must be sanitized to remove or encode special characters that could be interpreted as executable code in HTML or JavaScript contexts. Employing context-aware output encoding libraries (e.g., OWASP Java Encoder or similar) is recommended to prevent injection. Additionally, implementing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in the browser. Organizations should also educate users about the risks of clicking on suspicious links and encourage the use of multi-factor authentication to reduce the impact of credential theft. Monitoring web application logs for unusual input patterns and anomalous requests targeting the email parameter can aid in early detection of exploitation attempts. Since no patch is currently available, applying web application firewall (WAF) rules to detect and block malicious payloads targeting this endpoint can provide interim protection. Finally, organizations should prioritize patching once a fix is released and conduct thorough security testing to verify remediation.