CVE-2025-9723

Karina included in category CVE

August 31, 2025 2 minutes CC BY-NC 4.0

Contents

Stored XSS in i-Educar via educar_tipo_regime_cad.php (With PoC and Screenshots)

🇧🇷 Ler em Português.

CVE-2025-9723

Introduction

While reviewing yet another section of the i-Educar project, I discovered another instance of stored XSS — this time in the endpoint /intranet/educar_tipo_regime_cad.php. The vulnerability lies in the nm_tipo parameter, which doesn’t properly sanitize user input, allowing scripts to be injected and persist in the system.
Once saved, the payload is executed automatically when the listing page is accessed. The issue was formally recognized as CVE-2025-9723.
In this post, I walk you through the technical details, the step-by-step PoC, and the real risks this bug presents in production.

What is CVE-2025-9723?

CVE-2025-9723 is a stored Cross-Site Scripting (XSS) vulnerability affecting the /intranet/educar_tipo_regime_cad.php endpoint of the i-Educar application.
The flaw resides in the nm_tipo parameter, which accepts and stores malicious input without any validation or sanitization.
The script is triggered automatically when users access the listing page: /intranet/educar_tipo_regime_lst.php.

Technical Details

➤ Vulnerable Endpoint: /intranet/educar_tipo_regime_cad.php

➤ Affected Parameter: nm_tipo

➤ Trigger Page: /intranet/educar_tipo_regime_lst.php

➤ Payload Used

"><img src=x onerror=alert('CVE-Hunters')>

Proof of Concept (PoC)

To reproduce the vulnerability, follow these steps:

➤ Access the endpoint: /intranet/educar_tipo_regime_cad.php and select default option in first field.

➤ Insert the payload in the second field: Nome Tipo

➤ Click on: “Salvar”

The page /intranet/educar_tipo_regime_lst.php will load immediately, and the stored XSS will execute automatically:

Parameter `nm_tipo`

Report

You can access the full report and see the complete step-by-step here:

CVE-2025-9723 Report

Impact

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

Steal session cookies (session hijacking);
Install malware on victims’ devices;
Steal credentials stored in the browser;
Redirect users to malicious websites;
Deface the application interface;
Damage the institutional reputation.

Official Sources

The vulnerability was reported ethically and assigned as:

References

CVE-2025-9723 on CVE.org

VulDB Entry

Conclusion

This is another example of how a single unsanitized field can create a serious security threat. CVE-2025-9723 serves as a reminder of the importance of proper input validation — especially in administrative sections of web applications.
If you work with systems handling public data, educational platforms, or user-generated content, always review every input field — no matter how small — to avoid this kind of persistent threat.