CVE-2025-10099: Multiples Cross-Site Scripting (XSS) Reflected in endpoint educar_usuario_cad.php
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-10099
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the educar_usuario_cad.php endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the email, data_inicial and data_expiracao parameters.
Details
Vulnerable Endpoint: educar_usuario_cad.php
Parameters: email, data_inicial and data_expiracao
The application reflects this input directly in the response. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session.
PoC
Payloads:
Parameter email
| |
Parameters data_inicial and data_expiracao
| |
Impact
- Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
- Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
- Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
- Stealing credentials: Attackers can steal a user's credentials.
- Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
- Defacing websites: Attackers can deface a website by altering its content.
- Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
- Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.
Reference
https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10099.md
Finder
By: CVE-Hunters