CVE-2025-5984 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the SourceCodester Online Student Clearance System, specifically within the /Admin/add-fee.php file. The vulnerability arises from improper sanitization or validation of the 'txtamt' parameter, which an attacker can manipulate to inject malicious scripts. This vulnerability is exploitable remotely without requiring authentication, although it does require some user interaction to trigger the malicious payload. The CVSS 4.0 vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L, indicating limited privileges), and user interaction required (UI:P). The impact on confidentiality is none, integrity is low, and availability is none, resulting in an overall medium severity rating with a CVSS score of 5.1. The exploit has been publicly disclosed but is not known to be actively exploited in the wild. The vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser session, potentially leading to session hijacking, defacement, or redirection to malicious sites. Since this vulnerability affects an administrative function, it may have a higher impact if administrative users are targeted, potentially compromising administrative sessions or credentials.

For European organizations, especially educational institutions or administrative bodies using the SourceCodester Online Student Clearance System, this vulnerability poses a risk of unauthorized script execution within administrative interfaces. This could lead to session hijacking, unauthorized actions performed on behalf of administrators, or the theft of sensitive data related to student clearance processes. The impact is particularly concerning if administrative users access the system from browsers vulnerable to script injection, potentially leading to broader compromise of the institution's internal systems or data. Additionally, exploitation could damage the institution's reputation and trustworthiness, especially under GDPR regulations where data protection and breach notification requirements are stringent. Although the vulnerability does not directly compromise system availability or confidentiality at a high level, the integrity of administrative operations and user trust could be significantly affected.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'txtamt' parameter within the /Admin/add-fee.php script to prevent injection of malicious scripts. Employing a web application firewall (WAF) with rules to detect and block XSS payloads targeting this parameter can provide an additional layer of defense. It is critical to update or patch the affected software version once a vendor-provided fix becomes available. In the interim, restricting access to the administrative interface by IP whitelisting or VPN-only access can reduce exposure. Educating administrative users about the risks of clicking on suspicious links and ensuring browsers are up to date with security patches can also reduce the risk of successful exploitation. Regular security assessments and code reviews focusing on input handling in web applications should be conducted to prevent similar vulnerabilities.