Karina Gante
Posts Tags Categories
Karina Gante

Contents

CVE-2025-8538

Karina avatarKarina  included in  category CVE
    2 minutes   CC BY-NC 4.0   
How I Discovered Multiple Stored XSS Flaws in i-Educar (With PoC and Screenshots)

How I Discovered Multiple Stored XSS Flaws in i-Educar (With PoC and Screenshots)

🇧🇷 Ler em Português.

While I was analyzing the Open-Source project i-Educar, I stumbled upon something unexpected: a stored XSS vulnerability that could silently affect anyone using the system. And it wasn’t just one field — both the name and description parameters in the /usuarios/tipos/novo route were vulnerable.
After properly testing, documenting, and reporting the issue, it was officially assigned as CVE-2025-8538.
In this post, I’ll show you how I found the flaw, how it works, and why it matters — with real screenshots, a working PoC, and the impact this kind of bug can have in production environments.

CVE-2025-8538 indicates two stored Cross-Site Scripting (XSS) vulnerabilities in the /usuarios/tipos/novo endpoint of the i-Educar application.
The vulnerability allows attackers to inject malicious scripts into the name and description fields.
These scripts are saved on the server and executed as soon as the /usuarios/tipos page is loaded. This means that any user who accesses that page ends up executing the script without noticing.

Vulnerable Endpoint /usuarios/tipos/novo

Affected Parameters: name, description

Trigger Page: /usuarios/tipos

Payload Used

"><img src=x onerror=alert('CVE-Hunters')>

To demonstrate the vulnerability, the following steps were performed:

Access the endpoint: /usuarios/tipos/novo

Insert the payload above into the fields: Tipo de Usuário e Descrição

Click on: “Salvar”

The /usuarios/tipos page will automatically load, triggering the XSS:

Parameter nameParameter description
Report

You can access the full report and see the complete step-by-step here:

CVE-2025-8538 Report

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

The vulnerability was reported ethically and assigned as:

References

CVE-2025-8538 on CVE.org

VulDB Entry

This discovery reinforces the importance of input validation and the adoption of secure coding practices in web development. Even educational systems — which handle sensitive data from students and teachers — are not immune to critical vulnerabilities.
If you’re a developer, sysadmin, or security enthusiast, here’s a reminder: never underestimate the impact of a stored XSS vulnerability.

Discovered with💜 by Karina Gante.

LinkedIn GitHub gmail Instagram

Official Member of CVE-Hunters🏹

Related Content

How I Discovered Multiple Stored XSS Flaws in i-Educar (With PoC and Screenshots)

CVE-2025-8539

How I Discovered Multiple Stored XSS Flaws in i-Educar (With PoC and Screenshots)

CVE-2025-8540

How I Discovered Multiple Stored XSS Flaws in i-Educar (With PoC and Screenshots)

CVE-2025-8541

How I Discovered Multiple Stored XSS Flaws in i-Educar (With PoC and Screenshots)

CVE-2025-8542

How I Discovered Multiple Stored XSS Flaws in i-Educar (With PoC and Screenshots)

CVE-2025-8543

CC BY-NC 4.0
 XSSI-EducarStored XSSCVE-2025-8538Cybersecurity
 | Home