Socials

Table of contents

  1. CVE-2025-9723
  2. Introduction
  3. What is CVE-2025-9723?
  4. Technical Details
  5. Proof of Concept (PoC)
  6. Impact
  7. Official Sources
  8. Credits
CVE-2025-9723 CVE-2025-9723

CVE-2025-9723

8/31/2025 / 3 minutes to read / Tags: CVEs, XSS, i-Educar

Introduction

While exploring i-Educar system, I discovered a stored XSS vulnerability in the /intranet/educar_tipo_regime_cad.php endpoint. The nm_tipo parameter, allows the injection of malicious scripts without any sanitization.

These scripts are stored in the database and executed automatically when the corresponding listing page is accessed.

In this post, I’ll walk you through the technical details, how the vulnerability was exploited (PoC), screenshots with real evidence, and the security risks it represents in real-world environments.

What is CVE-2025-9723?

The CVE-2025-9723 is a Stored Cross-Site Scripting (XSS) vulnerability found in the /intranet/educar_tipo_regime_cad.php endpoint of the i-Educar application.

The nm_tipo parameter fails to properly validate user inputs, allowing attackers to persist JavaScript payloads on the server. The malicious code is executed when the /intranet/educar_tipo_regime_lst.php page is loaded, impacting any user who visits it.

Technical Details

» Vulnerable Endpoint: /intranet/educar_tipo_regime_cad.php

» Affected Parameter: nm_tipo

» Trigger Page: /intranet/educar_tipo_regime_lst.php

» Payload Used:

"><img src=x onerror=alert('CVE-Hunters')>

Proof of Concept (PoC)

To reproduce the vulnerability:

» Access the endpoint: /intranet/educar_tipo_regime_cad.php;

» Select default option on first field;

» Insert the payload in the: “Nome Tipo” field;

» Click on: “Salvar”

The /intranet/educar_tipo_regime_lst.php page will automatically load, triggering the malicious payload:

You can access the full technical report with all step-by-step evidence here:

CVE-2025-9723 Report

Impact

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

Official Sources

This vulnerability was reported responsibly and is publicly registered as:

Credits

Discovered with💜 by Karina Gante.

LinkedInGitHubGmailInstagram

Official Member of CVE-Hunters🏹

← Back to blog