CVE-2025-10914 Overview
CVE-2025-10914 is a reflected Cross-Site Scripting (XSS) vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System). The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. Attackers can craft malicious URLs that, when clicked by an authenticated user, execute arbitrary JavaScript in the victim's browser session. The vulnerability affects all OBS versions prior to V26.0401. Turkey's national CERT (USOM) issued security notification TR-25-0357 covering this issue.
Critical Impact
A successful attack allows session hijacking, credential theft, and unauthorized actions performed in the context of an authenticated student or administrator account within the Student Affairs Information System.
Affected Products
- Proliz Software Ltd. Co. OBS (Student Affairs Information System)
- OBS versions before V26.0401
- Web-facing student portal interfaces of OBS deployments
Discovery Timeline
- 2025-10-23 - CVE-2025-10914 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-10914
Vulnerability Analysis
The vulnerability is a reflected XSS issue within the OBS web application. Input received from HTTP request parameters is reflected directly into rendered HTML without proper output encoding or sanitization. An attacker can embed JavaScript payloads in URL parameters, which the server returns inside the response page. When the victim's browser parses the response, the injected script executes in the application's origin.
Reflected XSS in a student information system exposes sensitive academic records, personal data, and session tokens. The attack requires user interaction, typically through a crafted link delivered via email, messaging, or a malicious page. EPSS data places real-world exploitation probability at a low level, but the simplicity of XSS exploitation keeps risk meaningful where the application is internet-exposed.
Root Cause
The root cause is missing or insufficient context-aware output encoding when user input is included in server-generated HTML responses. The application trusts request parameters and inserts them into the page without applying HTML entity encoding or a strict Content Security Policy.
Attack Vector
An attacker constructs a URL containing a malicious script payload in a vulnerable parameter. The attacker delivers the link to a target user, often a student or staff member with an active OBS session. When the victim opens the link, the OBS server reflects the payload into the response and the browser executes it. The script runs with the privileges of the victim's session and can exfiltrate cookies, session identifiers, form data, or perform authenticated requests on behalf of the user.
No verified proof-of-concept code is available for this CVE. Refer to the USOM Security Notification TR-25-0357 for additional context.
Detection Methods for CVE-2025-10914
Indicators of Compromise
- HTTP requests to OBS endpoints containing URL-encoded <script>, onerror=, onload=, or javascript: payloads in query parameters
- Server access logs showing reflected parameter values that match known XSS payload signatures
- Outbound browser requests from OBS sessions to unfamiliar external domains immediately after user clicks
- Anomalous session token reuse from geographically inconsistent IP addresses following user link interactions
Detection Strategies
- Inspect web server and reverse proxy logs for request parameters containing HTML or JavaScript metacharacters such as <, >, ", and %3C
- Deploy a Web Application Firewall (WAF) with OWASP Core Rule Set signatures tuned to detect reflected XSS patterns targeting OBS URL parameters
- Correlate user-agent strings, referrer headers, and parameter content to identify suspicious externally referred clicks into OBS
Monitoring Recommendations
- Forward OBS web server logs to a centralized SIEM and alert on payload signatures matching CWE-79 attack patterns
- Monitor for unexpected session activity, such as administrative actions originating from student accounts shortly after URL clicks
- Track Content Security Policy violation reports if CSP is deployed in report-only or enforcement mode
How to Mitigate CVE-2025-10914
Immediate Actions Required
- Upgrade Proliz OBS to version V26.0401 or later, which contains the vendor fix for this reflected XSS issue
- Restrict external network exposure of OBS interfaces to trusted networks or VPN access until patching is complete
- Invalidate active sessions and require re-authentication after upgrading to clear potentially compromised tokens
- Notify users to avoid clicking unsolicited links referencing the OBS portal
Patch Information
Proliz Software Ltd. Co. has released OBS V26.0401, which addresses the reflected XSS vulnerability. Administrators should coordinate with the vendor to obtain the patched release. Reference the USOM Security Notification TR-25-0357 for vendor coordination details.
Workarounds
- Deploy a Web Application Firewall in front of OBS with rules blocking common XSS payload patterns in request parameters
- Enforce a strict Content Security Policy that disallows inline script execution and restricts script sources to trusted origins
- Configure HTTP response headers including X-XSS-Protection, X-Content-Type-Options: nosniff, and Set-Cookie with HttpOnly and Secure flags to limit the impact of successful injection
- Educate users on phishing risks and the danger of clicking unverified links referencing institutional systems
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
