Karina Gante
Posts Tags Categories
Karina Gante

Contents

CVE-2025-8539

Karina avatarKarina  included in  category CVE
    2 minutes   CC BY-NC 4.0   
How I Found a Stored XSS in i-Educar via public_distrito_cad.php (With PoC and Screenshots)

How I Found a Stored XSS in i-Educar via public_distrito_cad.php (With PoC and Screenshots)

🇧🇷 Ler em Português.

While continuing my analysis of the i-Educar Open-Source project, I identified another issue: a stored XSS vulnerability in the /intranet/public_distrito_cad.php endpoint. The nome field failed to properly sanitize input, allowing malicious scripts to be injected and executed automatically on the district listing page.
After a full investigation and responsible disclosure, the issue was assigned as CVE-2025-8539.
In this write-up, I share technical details, a step-by-step PoC, screenshots, and the potential impact of this vulnerability.

CVE-2025-8539 refers to a stored Cross-Site Scripting (XSS) vulnerability in the /intranet/public_distrito_cad.php endpoint of the i-Educar application.
The issue was found in the nome parameter, which accepts and stores unsanitized user input.
Once saved, the malicious script is executed whenever the page /intranet/public_distrito_lst.php is accessed — affecting anyone who visits it.

Vulnerable Endpoint: /intranet/public_distrito_cad.php

Affected Parameter: nome

Trigger Page: /intranet/public_distrito_lst.php

Payload Used

"><img src=x onerror=alert('CVE-Hunters')>

To confirm the vulnerability, I followed these steps:

Access the endpoint: /intranet/public_distrito_cad.php

Fill in the remaining fields as needed

Insert the payload in the fourth field: Nome

Click on: “Salvar”

After submission, the page /intranet/public_distrito_lst.php will automatically be triggered, executing the XSS:

Parameter nome
Report

You can access the full report and see the complete step-by-step here:

CVE-2025-8539 Report

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

The vulnerability was reported ethically and assigned as:

References

CVE-2025-8539 on CVE.org

VulDB Entry

Even a single input field without proper validation can open the door to high-impact attacks. CVE-2025-8539 highlights the importance of input sanitization at every stage of development.
If you work with web applications — especially platforms handling public or educational data — it’s important to review all user entry points carefully.
Simple oversights like this one can easily go unnoticed but carry serious risks.

Discovered with💜 by Karina Gante.

LinkedIn GitHub gmail Instagram

Official Member of CVE-Hunters🏹

Related Content

How I Found a Stored XSS in i-Educar via public_distrito_cad.php (With PoC and Screenshots)

CVE-2025-8538

How I Found a Stored XSS in i-Educar via public_distrito_cad.php (With PoC and Screenshots)

CVE-2025-8540

How I Found a Stored XSS in i-Educar via public_distrito_cad.php (With PoC and Screenshots)

CVE-2025-8541

How I Found a Stored XSS in i-Educar via public_distrito_cad.php (With PoC and Screenshots)

CVE-2025-8542

How I Found a Stored XSS in i-Educar via public_distrito_cad.php (With PoC and Screenshots)

CVE-2025-8543

CC BY-NC 4.0
 XSSI-EducarStored XSSCVE-2025-8539Cybersecurity
 | Home