Key Information Vulnerability Type Reflected Cross-Site Scripting (XSS) Vulnerability Location Application: i-Educar Endpoint: Parameters: and Vulnerability Details The application fails to validate and sanitize user input provided in the and parameters. The lack of input validation allows injection of malicious scripts, which are reflected back to the user’s browser and executed within the victim’s browser session. PoC (Proof of Concept) Payload: Example Attack URLs: - - Impact User Actions: Attackers can perform any action that the user is authorized to perform. Data Theft: Attackers can steal data or install malware on the user’s machine. Account Compromise: Attackers can manipulate or steal cookies, or leak confidential information. Malicious Code Execution: Attackers can execute malicious code on the user’s system. Damage to Business Reputation: Attackers can deface company websites or spread misinformation. Misdirection: Attackers can alter information presented to users, which can be dangerous, especially if the target is a government website or one providing critical resources. References CVE-2025-8368 VulnDB-318340 i-Educar – Official Repository Discoverer Marcelo Queiroz by CVE-Hunters