Karina Gante
Posts Tags Categories
Karina Gante

Contents

CVE-2025-9653

Karina avatarKarina  included in  category CVE
    2 minutes   CC BY-NC 4.0   
How I Discovered Multiple Stored XSS in i-Educar via educar_projeto_cad.php (With PoC and Screenshots)

How I Discovered Multiple Stored XSS in i-Educar via educar_projeto_cad.php (With PoC and Screenshots).

🇧🇷 Ler em Português.

While analyzing the company registration functionality in the i-Educar system, I found multiple stored XSS vulnerabilities in the /intranet/educar_projeto_cad.php endpoint. Both the name and observacao fields accepted malicious scripts without any input sanitization.
As a result, the payload was saved on the server and executed automatically when accessing the company listing page. This vulnerability was officially assigned as CVE-2025-9653.
In this post, I’ll walk you through the technical details, PoC steps, and security risks posed by this issue.

CVE-2025-9653 refers two stored Cross-Site Scripting (XSS) vulnerabilities in the /intranet/educar_projeto_cad.php endpoint of the i-Educar application.
The name and observacao parameters fail to properly sanitize user input, allowing malicious scripts to be stored and automatically executed when the /intranet/educar_projeto_lst.php page is accessed.

Vulnerable Endpoint /intranet/educar_projeto_cad.php

Affected Parameters: name and observacao

Trigger Page: /intranet/educar_projeto_lst.php

Payload Used

"><img src=x onerror=alert('CVE-Hunters')>

To reproduce this vulnerability, follow the steps below:

1. Access vulnerable endpoint.
2. Insert the payload in first field ("Nome do Projeto") and second field ("Observação").
3. Click on "Salvar".

The /intranet/educar_projeto_lst.php page will load automatically, triggering the stored XSS:

Parameter nameParameter observacao
Report

You can access the full technical report with all PoC steps here:

CVE-2025-9653 Report

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

The issue was ethically reported and officially registered as:

References

CVE-2025-9653 on CVE.org

VulDB Entry

CVE-2025-9653 shows that even seemingly harmless fields like company names can become vectors for stored XSS attacks. When displayed in administrative panels without proper validation or output encoding, they pose a real threat.
Ensuring input validation on every form — no matter how trivial the field — is important to keeping web applications secure.

Discovered with💜 by Karina Gante.

LinkedIn GitHub gmail Instagram

Official Member of CVE-Hunters🏹

Related Content

How I Discovered Multiple Stored XSS in i-Educar via educar_projeto_cad.php (With PoC and Screenshots)

CVE-2025-9652

How I Discovered Multiple Stored XSS in i-Educar via educar_projeto_cad.php (With PoC and Screenshots)

CVE-2025-9531

How I Discovered Multiple Stored XSS in i-Educar via educar_projeto_cad.php (With PoC and Screenshots)

CVE-2025-9532

How I Discovered Multiple Stored XSS in i-Educar via educar_projeto_cad.php (With PoC and Screenshots)

CVE-2025-9137

How I Discovered Multiple Stored XSS in i-Educar via educar_projeto_cad.php (With PoC and Screenshots)

CVE-2025-9138

CC BY-NC 4.0
 XSSI-EducarStored XSSCVE-2025-9653Cybersecurity
 | Home