CVE-2025-9595 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the code-projects Student Information Management System, specifically within the /login.php file. The vulnerability arises from improper sanitization or validation of the 'uname' parameter, which can be manipulated by an attacker to inject malicious scripts. This flaw allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they interact with the vulnerable login page. The attack can be performed remotely without requiring authentication, although it requires user interaction (e.g., the victim visiting a crafted URL or submitting a manipulated form). The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and limited impact on integrity (VI:L), with no impact on confidentiality or availability. The vulnerability does not have known exploits in the wild yet, but the exploit details have been publicly disclosed, increasing the risk of exploitation. XSS vulnerabilities like this can be leveraged for session hijacking, phishing, or delivering malware, especially in systems managing sensitive student information.

For European organizations, particularly educational institutions using the affected Student Information Management System, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Exploitation could lead to unauthorized access to student records, credential theft, or the spread of malware within the institution's network. Given the sensitivity of educational data under GDPR, any data breach or unauthorized data access could result in regulatory penalties and reputational damage. The remote exploitability without authentication increases the attack surface, especially if the system is accessible over the internet. Although the vulnerability requires user interaction, phishing campaigns or social engineering could be used to trick users into triggering the exploit. The limited impact on availability means the system is unlikely to be disrupted, but the confidentiality and integrity risks remain significant for protecting personal and academic data.

To mitigate this vulnerability, organizations should immediately implement input validation and output encoding on the 'uname' parameter in /login.php to prevent script injection. Specifically, use context-aware encoding (e.g., HTML entity encoding) before rendering user input in the browser. If possible, upgrade to a patched version of the Student Information Management System once available. In the absence of an official patch, apply web application firewall (WAF) rules to detect and block malicious payloads targeting the 'uname' parameter. Conduct security awareness training to educate users about phishing and suspicious links to reduce the risk of user interaction-based exploitation. Additionally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly monitor logs for unusual activity related to login attempts and parameter manipulation. Finally, review and harden authentication mechanisms to detect and prevent session hijacking attempts.