Featured image of post CVE-2025-8508
XSS Moderate I-Educar Security WebApp

CVE-2025-8508

Cross-Site Scripting (XSS) Stored

CVE-2025-8508: Multiples Cross-Site Scripting (XSS) Stored in endpoint /intranet/educar_avaliacao_desempenho_cad.php

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-8508

Summary

Multiples Stored Cross-Site Scripting (XSS) vulnerabilities was identified in the /intranet/educar_avaliacao_desempenho_cad.php endpoint of the i-Educar application. This vulnerability allows attackers to inject malicious scripts into the titulo_avaliacao and descricao parameters. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.

Details

Vulnerable Endpoint: /intranet/educar_avaliacao_desempenho_cad.php

Parameters: titulo_avaliacao and descricao

The application fails to properly validate and sanitize user inputs in the titulo_avaliacao and descricao parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.

PoC

Payload:

1

  <script>alert('PoC-XXS51')</script>

The payload was submitted via the titulo_avaliacao and descricao fields and stored successfully. When the page displaying these values is accessed, the script is executed in the context of the user's browser session, confirming the presence of a stored XSS vulnerability.

Impact

  • Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
  • Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
  • Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
  • Stealing credentials: Attackers can steal a user's credentials.
  • Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
  • Defacing websites: Attackers can deface a website by altering its content.
  • Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
  • Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.

Reference

https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8508.md

Finder:

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy