CVE Alert: CVE-2025-11956 – Proliz Software Ltd. Co. – OBS (Student Affairs Information System)

Risk verdict

High-risk stored XSS with remote access potential and high impact; exploitation is not observed at present, but patching should be prioritised.

Why this matters

Stored XSS can enable credential theft, session hijacking, or manipulation of information within a teacher-student system containing personal data. In a Student Information System, an attacker could access or alter PII, disrupt workflows, or erode trust in the institution’s digital services.

Most likely attack path

An attacker submits input that is stored and later rendered unencoded in pages viewed by other users; network access is needed and user interaction is required to trigger the payload. The low privileges requirement and network exposure mean any authenticated or unauthenticated user with form access could seed payloads, with the scope of impact potentially extending beyond the vulnerable component.

Who is most exposed

Web-facing deployments used by students and staff are the primary exposure, common in universities or colleges. If the system is hosted publicly or via exposed APIs, the blast radius broadens to any user with page access.

Detection ideas

• Logs showing stored input containing script tags or event handlers.
• WAF alerts or rules triggered by XSS-like patterns in submissions.
• CSP violation reports or inline script execution events.
• Anomalous page responses where previously stored content contains unexpected HTML/JS.
• SIEM alerts following unusual user activity after submitting potentially malicious input.

Mitigation and prioritisation

• Apply available patch or upgrade to mitigate the vulnerability.
• Enforce robust output encoding and input validation/sanitisation.
• Implement a strict Content Security Policy and disable inline scripts; enable nonce-based controls.
• Harden cookies (HttpOnly, Secure) and consider server-side sanitisation libraries.
• Schedule patching in a test/staging window; monitor post-deployment and enable extra logging.

Note: KEV presence, PoC, and EPSS data are not provided; if KEV is true or EPSS ≥ 0.5, treat as priority 1.