CVE-2025-6477 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the SourceCodester Student Result Management System, specifically within an unspecified functionality of the /script/admin/system file related to the System Settings Page. The vulnerability arises from improper sanitization or validation of the 'School Name' argument, which can be manipulated by an attacker to inject malicious scripts. This flaw allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they access the affected page. The attack vector is remote, requiring no prior authentication but does require some user interaction (e.g., an administrator or user visiting a crafted URL or page). The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently reported in the wild. The CVSS 4.0 base score is 4.8, indicating a medium severity level. The vector string indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but this conflicts with the description; likely a misclassification or the vulnerability requires high privileges), user interaction required (UI:P), and limited impact on confidentiality and integrity but no impact on availability. The vulnerability primarily threatens the integrity of the system by enabling script injection, which could lead to session hijacking, defacement, or redirection to malicious sites. Since the affected component is part of an administrative system settings page, exploitation might require administrative privileges, limiting the attack surface but increasing the risk if credentials are compromised or if insiders are malicious. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for mitigation through other means.

For European organizations, especially educational institutions and administrative bodies using the SourceCodester Student Result Management System, this vulnerability poses a risk of unauthorized script execution within the administrative interface. Successful exploitation could lead to session hijacking of administrative users, unauthorized changes to system settings, or the injection of malicious content that could compromise user trust and data integrity. Given the sensitive nature of student records and results, any compromise could have reputational damage, legal implications under GDPR due to potential data exposure, and operational disruption. The medium severity and requirement for administrative privileges reduce the likelihood of widespread exploitation but do not eliminate the risk, particularly in environments with weak credential management or insider threats. Additionally, the public disclosure of the vulnerability increases the urgency for European organizations to assess their exposure and implement mitigations promptly.

1. Immediate mitigation should include restricting access to the System Settings Page to trusted administrators only, ideally through network segmentation or VPN access controls. 2. Implement strict input validation and output encoding on the 'School Name' parameter to neutralize malicious scripts; if source code modification is possible, sanitize inputs using established libraries or frameworks. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application context. 4. Monitor administrative logs for unusual activities or access patterns that could indicate exploitation attempts. 5. Educate administrators about phishing and social engineering risks that could lead to credential compromise. 6. If possible, disable or restrict the vulnerable functionality until a vendor patch is released. 7. Regularly update and patch the system once a fix becomes available. 8. Conduct security assessments and penetration testing focused on web application vulnerabilities to identify and remediate similar issues proactively.