CVE-2025-11956: OBS Student Affairs System XSS Flaw

CVE-2025-11956 Overview

CVE-2025-11956 is a stored cross-site scripting (XSS) vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information System). The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. Authenticated attackers can inject malicious script content that executes in the browsers of other users who view the affected pages. The vulnerability affects all OBS releases prior to version 25.0401. Turkey's national CSIRT (USOM) issued advisory TR-25-0379 covering the issue. Because OBS handles student records, grades, and administrative workflows, successful exploitation can compromise high-privilege academic accounts.

Critical Impact

Stored XSS in OBS enables session hijacking, credential theft, and privileged action execution against faculty and administrative users across higher-education tenants running unpatched OBS instances.

Affected Products

• Proliz Software OBS (Student Affairs Information System) — all versions before 25.0401
• Web-facing student, faculty, and administrator portals served by OBS
• Any institutional deployment integrating OBS authentication or session cookies with downstream services

Discovery Timeline

• 2025-11-06 - CVE-2025-11956 published to NVD
• 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2025-11956

Vulnerability Analysis

The vulnerability is a stored XSS issue in the OBS web interface. OBS accepts input from authenticated users and persists it without adequate output encoding or input sanitization. When other users — including higher-privilege faculty or administrators — load pages that render the stored content, the application emits the attacker-controlled payload directly into the HTML response. The browser then executes the injected JavaScript in the trusted origin of the OBS application.

Because the payload is persisted server-side, exploitation does not require crafted links or active social engineering for each victim. Any user navigating to the affected view triggers execution. The CVSS scope change reflects this cross-context impact, where script execution in one user's session reaches data and functionality belonging to other principals.

Root Cause

The root cause is missing or insufficient contextual output encoding when rendering user-controlled fields into HTML responses. Input validation does not strip or reject HTML control characters and JavaScript event handlers. The application also lacks a restrictive Content Security Policy (CSP) that would block inline script execution as a defense-in-depth layer.

Attack Vector

An authenticated attacker with low privileges submits a payload into a stored field exposed by the OBS interface — for example, a profile, message, or free-text academic field. The server saves the payload verbatim. When a victim with equal or higher privilege opens the page that displays the field, the injected script executes under the OBS origin. The attacker can exfiltrate session cookies, issue authenticated requests on the victim's behalf, modify grades or records, harvest credentials via injected forms, or pivot to administrative functionality. Exploitation requires user interaction in the form of viewing the page, but no additional victim action is needed beyond normal use of the system.

No public proof-of-concept code is available. Refer to the USOM Notification TR-25-0379 and the Siber Güvenlik advisory for vendor-coordinated details.

Detection Methods for CVE-2025-11956

Indicators of Compromise

• HTTP request bodies or query parameters containing <script>, onerror=, onload=, javascript:, or encoded variants submitted to OBS form endpoints.
• Outbound requests from OBS user browsers to unfamiliar domains carrying session cookies or form data in query strings.
• Unexpected modifications to student records, grades, or administrative settings performed by accounts shortly after they viewed pages containing user-generated content.
• OBS response bodies containing unsanitized HTML tags inside fields that should be plain text.

Detection Strategies

• Inspect web application firewall (WAF) and reverse-proxy logs for XSS signatures targeting OBS endpoints, particularly POST requests writing to user-editable fields.
• Review OBS application and database logs for stored field values containing HTML or script syntax and correlate with the submitting account.
• Hunt browser telemetry on faculty and administrator workstations for script execution originating from the OBS origin that issues cross-domain requests.

Monitoring Recommendations

• Enable verbose request logging on the OBS web tier and forward logs to a SIEM for retention and search.
• Alert on anomalous administrative actions occurring within a short window after an admin loaded a user-generated content page.
• Track Content Security Policy violation reports if CSP enforcement is configured on the OBS application.

How to Mitigate CVE-2025-11956

Immediate Actions Required

• Upgrade OBS to version 25.0401 or later on every institutional instance, including staging and disaster-recovery copies.
• Force password resets and invalidate active sessions for privileged OBS accounts once patched.
• Audit stored content in user-editable fields and remove any entries containing HTML or script syntax.
• Restrict OBS administrative interfaces to trusted networks or VPN access until patching is verified.

Patch Information

Proliz Software has released OBS version 25.0401, which addresses CVE-2025-11956. Institutions should coordinate with the vendor or their integrator to obtain the update and validate that all production tenants are on the fixed release. Reference the USOM advisory TR-25-0379 for the official notification.

Workarounds

• Deploy a WAF rule set in front of OBS that blocks common XSS payload patterns in request bodies and query parameters.
• Apply a strict Content Security Policy at the reverse proxy that disables inline scripts and limits script sources to trusted origins.
• Temporarily disable or restrict access to free-text fields known to render user input back to other users until the patch is applied.

# Example NGINX header hardening in front of OBS
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;