CVE Alert: CVE-2025-10467 – PROLIZ Computer Software Hardware Service Trade Ltd. Co. – OBS (Student Affairs Information System)

Risk verdict

High risk of stored XSS in OBS, with no active exploitation reported at this time.

Why this matters

Stored XSS can exfiltrate session data and compromise page integrity across the OBS web interface used by staff and students. Realistic attacker goals include credential theft, account manipulation, and phishing within the system, potentially enabling broader social engineering within the organisation.

Most likely attack path

An attacker submits malicious input that is stored by the application, then a user loads a page that renders the payload unescaped. The vulnerability requires network access with user interaction and low privileges, and the scope-change suggests the impact could extend to other components or data within the session context.

Who is most exposed

Universities or organisations using OBS as a web-based student information system, especially where the service is internet-facing or poorly input-validated, are most at risk.

Detection ideas

• Look for stored payloads containing script tags or inline event handlers in content fields.
• Identify rendered pages showing unexpected script execution or malformed HTML.
• Monitor logs and WAF/IDS for XSS-like patterns and unusual form submissions.
• Watch for user reports of pop-ups, altered pages, or session anomalies.

Mitigation and prioritisation

• Patch to v25.0401 or newer; prioritise in next maintenance window.
• Enforce server-side input validation and robust output encoding.
• Implement a strong Content Security Policy and disable risky inline scripts where feasible.
• Conduct a code review of input handling, and sanitise all stored data flows.
• Deploy compensating controls: enhanced WAF rules, CSRF protections, and least-privilege access for content-generation components.