8/6/2025/3 minutes to read/Tags: CVEs, XSS, i-Educar
Introduction
While exploring i-Educar system, I discovered multiples stored XSS vulnerabilities in the /intranet/empresas_cad.php endpoint. The fantasia and razão social parameters, allows the injection of malicious scripts without any sanitization.
These scripts are stored in the database and executed automatically when the /intranet/empresas_lst.php page is accessed.
In this post, I’ll walk you through the technical details, how the vulnerability was exploited (PoC), screenshots with real evidence, and the security risks it represents in real-world environments.
What is CVE-2025-8542?
The CVE-2025-8542 refers two stored Stored Cross-Site Scripting (XSS) vulnerability found in the /intranet/empresas_cad.php endpoint of the i-Educar application.
The fantasia and razão social parameters fails to properly validate user inputs, allowing attackers to persist JavaScript payloads on the server. The malicious code is executed when the /intranet/empresas_lst.php page is loaded, impacting any user who visits it.
Technical Details
» Vulnerable Endpoint:/intranet/empresas_cad.php
» Affected Parameters:fantasia, razão social
» Trigger Page:/intranet/empresas_lst.php
» Payload Used:
<imgsrc=xonerror=alert(1)>
Proof of Concept (PoC)
To reproduce the vulnerability:
» Access the endpoint:/intranet/empresas_cad.php;
» Insert the payload in both fields:“Nome Fantasia” and "Razão Social";
» The other fields can be left empty;
» Click on:“Salvar”
The /intranet/empresas_lst.php page will automatically load, triggering the malicious payloads:
Parameter fantasia:
Parameter razão social:
You can access the full technical report with all step-by-step evidence here:
