CVE-2025-25949 in Academia Student Information System EagleR
Summary
by MITRE • 03/03/2025
A stored cross-site scripting (XSS) vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the User ID parameter at /rest/staffResource/update.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/12/2025
This stored cross-site scripting vulnerability exists within the Academia Student Information System version 1.0.118 developed by Serosoft Solutions Pvt Ltd. The flaw manifests when malicious input is injected into the User ID parameter through the REST endpoint /rest/staffResource/update, allowing attackers to persistently execute arbitrary web scripts or HTML code within the application's environment. The vulnerability represents a critical security weakness that enables persistent XSS attacks, where malicious payloads remain stored within the system and can affect multiple users who interact with the affected functionality.
The technical implementation of this vulnerability stems from inadequate input validation and output sanitization within the application's backend processing of staff resource updates. When the User ID parameter is submitted through the REST API endpoint without proper sanitization, the system fails to properly encode or escape special characters that could be interpreted as executable script code. This weakness allows attackers to inject malicious payloads that are then stored within the application's database or memory structures, making the vulnerability persistent rather than reflected. The attack vector specifically targets the RESTful web service interface, which suggests that the vulnerability may be exploitable through automated tools or manual injection techniques that leverage the API's exposed endpoints.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent threat that can compromise user sessions, steal sensitive information, or redirect users to malicious websites. Attackers can craft payloads that exploit the stored XSS to perform session hijacking, steal cookies, or execute malicious scripts that can access other system resources. The persistence of the vulnerability means that once a malicious payload is injected, it will continue to affect any user who accesses the affected functionality, potentially compromising multiple users over extended periods. This makes the vulnerability particularly dangerous in educational environments where multiple staff members may access the system and view potentially compromised data.
Security controls should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application's data processing pipeline. The system requires proper sanitization of all user-supplied input, particularly parameters that are processed through REST endpoints. Implementing Content Security Policy headers, proper HTML encoding, and input validation libraries can significantly mitigate this vulnerability. Organizations should also consider implementing automated security scanning tools that can detect and prevent injection attempts through API endpoints. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and may be categorized under ATT&CK technique T1566 for initial access through malicious input. Regular security audits of API endpoints and input validation mechanisms should be conducted to prevent similar vulnerabilities from persisting in the system architecture.