CVE-2025-5723 is a cross-site scripting (XSS) vulnerability identified in SourceCodester Student Result Management System version 1.0. The vulnerability resides in the processing of the 'Class Name' argument within the /script/academic/classes component, specifically on the Classes Page. An attacker can manipulate this input parameter to inject malicious scripts that execute in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, although it requires user interaction (e.g., a victim clicking a crafted link or visiting a malicious page). The CVSS 4.0 base score is 4.8, indicating a medium severity level. The vector details show that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but this conflicts with the description; given the CVSS vector, PR:H means privileges required, so the vulnerability requires some privileges), and user interaction is necessary (UI:P). The impact on confidentiality is none, integrity is low, and availability is none. The vulnerability does not affect system confidentiality or availability but can allow an attacker to execute arbitrary scripts in the context of a logged-in user, potentially leading to session hijacking, defacement, or phishing attacks within the application. No patches or fixes are currently linked, and no known exploits are reported in the wild, but public disclosure increases the risk of exploitation attempts. The vulnerability affects only version 1.0 of the Student Result Management System, which is a niche application used primarily in academic environments for managing student results and classes.

For European organizations, particularly educational institutions using the SourceCodester Student Result Management System 1.0, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data integrity. While the direct impact on system availability and confidentiality is limited, successful exploitation could lead to unauthorized actions performed on behalf of legitimate users, data manipulation, or exposure of sensitive academic information. This could damage institutional reputation, violate data protection regulations such as GDPR, and potentially lead to unauthorized access to student records. The requirement for user interaction and some privilege level reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks against administrative users or staff. Given the educational sector's increasing reliance on digital management systems, this vulnerability could be leveraged in social engineering campaigns or combined with other vulnerabilities to escalate privileges or gain broader access.

Organizations should immediately review their use of the SourceCodester Student Result Management System and verify if version 1.0 is deployed. If so, they should consider the following specific measures: 1) Implement strict input validation and output encoding on the 'Class Name' parameter to neutralize malicious scripts. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Limit user privileges to the minimum necessary, especially for users who can access the Classes Page, to reduce the impact of exploitation. 4) Educate users and administrators about the risks of clicking on untrusted links or inputs that could trigger XSS attacks. 5) Monitor web application logs for suspicious input patterns targeting the vulnerable parameter. 6) If possible, upgrade to a newer, patched version of the software or apply vendor-provided patches once available. 7) Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this application component. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable parameter and the context of the application.