CVE-2025-7601 is a cross-site scripting (XSS) vulnerability identified in version 3.0 of the PHPGurukul Online Library Management System, specifically within the /admin/student-history.php file. The vulnerability arises from improper sanitization or validation of the 'stdid' parameter, which can be manipulated by an attacker to inject malicious scripts. This flaw allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they access the affected page with a crafted 'stdid' parameter. The attack can be initiated remotely without authentication, although user interaction is required to trigger the malicious script execution (e.g., an administrator or user viewing the student history page). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector details show that the attack is network exploitable (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but does require user interaction (UI:P). The impact on confidentiality is none, integrity is low, and availability is none, reflecting that the primary risk is the execution of malicious scripts that could lead to session hijacking, defacement, or phishing attacks within the administrative interface. No patches or known exploits in the wild have been reported at the time of publication. The vulnerability is publicly disclosed, which increases the risk of exploitation by opportunistic attackers.

For European organizations using PHPGurukul Online Library Management System 3.0, this vulnerability poses a risk primarily to the integrity and security of administrative user sessions. Successful exploitation could lead to session hijacking, unauthorized actions performed by administrators, or the injection of malicious content that could mislead users or compromise sensitive data related to library management. While the confidentiality impact is limited, the integrity of administrative operations could be undermined, potentially affecting the accuracy of student records or library transactions. Given that the attack requires user interaction, the risk is higher in environments where administrators frequently access the student history page and may be targeted via phishing or social engineering. The vulnerability could also be leveraged as a foothold for further attacks within the network if combined with other vulnerabilities. European educational institutions or libraries using this system may face reputational damage, operational disruptions, and compliance risks under data protection regulations such as GDPR if personal data is exposed or manipulated.

To mitigate this vulnerability, organizations should implement input validation and output encoding on the 'stdid' parameter within /admin/student-history.php to prevent injection of malicious scripts. Specifically, employ context-aware encoding (e.g., HTML entity encoding) before rendering user-supplied input in the web interface. If possible, update or patch the PHPGurukul Online Library Management System to a version that addresses this vulnerability once available. In the absence of an official patch, consider applying web application firewall (WAF) rules to detect and block suspicious payloads targeting the 'stdid' parameter. Additionally, restrict administrative access to trusted networks and enforce multi-factor authentication to reduce the risk of session compromise. Conduct security awareness training for administrators to recognize phishing attempts that could deliver malicious links exploiting this vulnerability. Regularly monitor logs for unusual activity related to the student-history.php page and implement Content Security Policy (CSP) headers to limit the impact of potential XSS attacks.