Featured image of post CVE-2025-8346
XSS Moderate I-Educar Security WebApp

CVE-2025-8346

Cross-Site Scripting (XSS) Reflected

CVE-2025-8346: Cross-Site Scripting (XSS) Reflected endpoint educar_aluno_lst.php via ref_cod_matricula parameter

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-8346

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the educar_aluno_lst.php endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the ref_cod_matricula parameter.

Details

Vulnerable Endpoint: educar_aluno_lst.php

Parameter: ref_cod_matricula

PoC

Payload:

1

  "><img%20src=x%20onerror=alert(%27CVE-Hunters%27)>

Full Payload:

1

  https://localhost/intranet/educar_aluno_lst.php?ref_cod_matricula="><img%20src=x%20onerror=alert(%27CVE-Hunters%27)>

Impact

  • Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
  • Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
  • Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
  • Stealing credentials: Attackers can steal a user's credentials.
  • Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
  • Defacing websites: Attackers can deface a website by altering its content.
  • Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
  • Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.

Reference

https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8346.md

Finder

Natan Maia Morette

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy