CVE-2025-56697 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Kashipara Computer Base Test v1.0 application, specifically within the /users/adminpanel/admin/home.php?page=feedbacks endpoint. The vulnerability arises due to insufficient input validation or output encoding of the smyFeedbacks POST parameter in the /users/home.php script. An attacker can exploit this flaw by injecting malicious JavaScript code into the feedback submission functionality, which is then stored on the server and subsequently rendered in the admin panel without proper sanitization. When an administrator or user with access to the admin panel views the feedback page, the malicious script executes in their browser context. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of the admin user, or the deployment of further malware. The vulnerability is particularly dangerous because it is stored, meaning the malicious payload persists and can affect multiple users over time. No CVSS score is currently assigned, and no patches or known exploits in the wild have been reported as of the publication date. The lack of affected version details suggests the vulnerability may impact all deployments of version 1.0 or earlier, or that versioning information is incomplete. Stored XSS vulnerabilities typically require no authentication to inject payloads if the feedback form is publicly accessible, but exploitation impact is realized when privileged users access the affected page.

For European organizations using Kashipara Computer Base Test v1.0, this vulnerability poses a significant risk to the confidentiality and integrity of administrative sessions and data. Successful exploitation could allow attackers to hijack admin accounts, leading to unauthorized access to sensitive test data, user information, or administrative controls. This could result in data breaches, manipulation of test results, or disruption of testing services. The persistence of the malicious script increases the attack surface and potential damage. Organizations in sectors such as education, certification bodies, or training providers relying on this software could face reputational damage, regulatory penalties under GDPR for data breaches, and operational downtime. Since the vulnerability affects the admin panel, the availability impact is moderate but could escalate if attackers leverage the access to deploy ransomware or other disruptive payloads. The lack of known exploits suggests a window of opportunity for proactive mitigation before widespread attacks occur.

To mitigate this vulnerability, organizations should immediately audit the input handling of the smyFeedbacks POST parameter and implement robust input validation and output encoding to neutralize malicious scripts. Employing a web application firewall (WAF) with rules targeting XSS payloads can provide interim protection. Restrict access to the admin panel via network segmentation and strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of exploitation. Regularly monitor logs for unusual activity related to feedback submissions and admin panel access. If possible, update or patch the Kashipara Computer Base Test software once a vendor fix is released. In the absence of an official patch, consider disabling or restricting the feedback feature temporarily. Conduct security awareness training for administrators to recognize signs of XSS exploitation and encourage the use of security-conscious browsers or extensions that can mitigate script-based attacks.