CVE-2025-5722 is a cross-site scripting (XSS) vulnerability identified in SourceCodester Student Result Management System version 1.0. The vulnerability resides in the /script/academic/terms component, specifically in the Add Academic Term functionality. The issue arises from improper sanitization or validation of the 'Academic Term' argument, which allows an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although the CVSS vector indicates a requirement for high privileges and user interaction, suggesting exploitation complexity may vary depending on deployment context. Successful exploitation could lead to the execution of arbitrary JavaScript in the context of the victim's browser, enabling attackers to steal session cookies, perform actions on behalf of the user, or deliver further malicious payloads. The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The CVSS 4.0 base score is 4.8, categorizing it as a medium severity issue, reflecting limited impact on confidentiality and integrity, and no impact on availability. The vulnerability does not affect confidentiality directly but has a low impact on integrity due to potential script injection and requires user interaction, which limits its exploitation scope. The lack of patches or vendor advisories at this time increases the risk for organizations using this software.

For European organizations, particularly educational institutions or administrative bodies using the SourceCodester Student Result Management System, this vulnerability poses a risk of unauthorized script execution within user sessions. This can lead to session hijacking, defacement of web interfaces, or phishing attacks targeting students, faculty, or administrative staff. The impact is primarily on data integrity and user trust rather than system availability or confidentiality of stored data. Given that the system manages student results, manipulation or unauthorized viewing of academic data could occur indirectly through social engineering or session compromise. The medium severity rating suggests that while the vulnerability is not critical, it could be leveraged as part of a broader attack chain. European organizations with limited IT security resources or those that have not updated or hardened their web applications are more vulnerable. Additionally, the public disclosure without available patches increases the window of exposure, necessitating immediate mitigation efforts to prevent exploitation.

1. Immediate implementation of input validation and output encoding on the 'Academic Term' parameter to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 3. Conduct a thorough code review of the affected component and other input fields to identify and remediate similar XSS weaknesses. 4. Isolate the Student Result Management System behind web application firewalls (WAFs) configured to detect and block XSS payloads. 5. Educate users on the risks of clicking suspicious links or executing unknown scripts, as user interaction is required for exploitation. 6. Monitor web server logs for unusual requests targeting the vulnerable endpoint and anomalous user behavior. 7. If possible, upgrade to a newer, patched version of the software once available or consider alternative solutions with better security track records. 8. Implement multi-factor authentication and session management best practices to limit the impact of session hijacking.