Key Information Vulnerability Type Stored Cross-Site Scripting (XSS) Vulnerable Endpoint Parameters Vulnerability Description This vulnerability allows attackers to inject malicious scripts via the and parameters. These scripts are stored on the server and automatically executed when the affected page is accessed by users, posing a severe security risk. PoC (Proof of Concept) Encoded Payload: Decoded Payload: Impact Session Cookie Theft: Attackers can hijack user sessions and perform actions on their behalf. Malware Distribution: Users may be tricked into downloading and executing malicious software. Browser Hijacking: Full control over the user’s browser via JavaScript execution. Credential Theft: Stealing usernames, passwords, and other sensitive information. Exposure of Sensitive Data: Accessing data stored in the application or browser. Website Defacement: Altering the content of web pages viewed by users. User Redirection: Redirecting victims to phishing or malicious websites. Damage to Business Reputation: Loss of user trust if attacks originate from the application. References CVE-2025-8508 VulnDB-318607 T-Educar - Official Repository Discoverer Marcelo Quininoz CVE-Hunters