CVE-2025-65881 identifies a Cross Site Scripting (XSS) vulnerability in Sourcecodester Zoo Management System version 1.0, located in the /classes/Login.php script. XSS vulnerabilities arise when an application fails to properly sanitize user-supplied input, allowing attackers to inject malicious scripts that execute in the context of other users' browsers. This particular flaw is classified under CWE-79, indicating improper neutralization of input during web page generation. The vulnerability is remotely exploitable over the network without requiring authentication (AV:N/PR:N), but it requires user interaction (UI:R), such as clicking a crafted link or submitting a malicious form. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, potentially impacting the confidentiality and integrity of user data. The CVSS score of 6.1 reflects a medium severity level, with partial loss of confidentiality and integrity but no impact on availability. No patches or known exploits have been reported at the time of publication, which suggests the vulnerability is newly disclosed. The affected software is niche, used primarily for managing zoo-related data, which may limit the attack surface but still poses risks to organizations relying on this system for operational management. Attackers could leverage this vulnerability to steal session cookies, perform phishing, or execute arbitrary scripts to manipulate user sessions or data.

For European organizations, the impact of this XSS vulnerability depends on the extent to which Sourcecodester Zoo Management System v1.0 is deployed. Organizations managing zoological parks, animal research centers, or related administrative systems could face risks of data leakage, session hijacking, or unauthorized actions performed on behalf of legitimate users. Confidentiality of user credentials or sensitive operational data could be compromised, leading to reputational damage or operational disruptions. Although availability is not directly affected, the integrity and confidentiality impacts could facilitate further attacks or unauthorized access. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially if attackers use social engineering to trick users into triggering the vulnerability. Given the medium severity, the threat is moderate but should not be ignored, especially in sectors where data integrity and confidentiality are critical.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding in the /classes/Login.php file to neutralize any malicious scripts before rendering user input in the browser. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Regularly update and patch the Zoo Management System once official fixes are released by the vendor. In the absence of official patches, apply custom code reviews and sanitization libraries to the affected components. Educate users about the risks of clicking unknown links or submitting untrusted input, as user interaction is required for exploitation. Monitor web application logs for unusual input patterns or repeated attempts to inject scripts. Additionally, consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the login functionality. Conduct periodic security assessments and penetration testing to identify and remediate similar vulnerabilities proactively.