Key Information Vulnerability Overview CVE ID: CVE-2025-8543 Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Parameter: Severity: Medium Vulnerability Details Vulnerable Endpoint: Trigger Page: Issue Description The application fails to properly validate and sanitize user input in the parameter, allowing attackers to inject malicious scripts that are stored on the server. When the affected page is accessed, the malicious script automatically executes in the victim’s browser. PoC (Proof of Concept) 1. Access the vulnerable endpoint. 2. Insert the payload into the first field (“Raca”). 3. Click “Salvar” — the trigger page will automatically activate. Payload Example Impact Session Cookie Theft: Attackers can steal session cookies to hijack user sessions and perform actions on their behalf. Malware Download: Attackers can trick users into downloading and installing malware. Browser Hijacking: Attackers can hijack the user’s browser or deliver browser-based exploits. Credential Theft: Attackers can steal user credentials. Sensitive Information Disclosure: Attackers can access sensitive information stored in user accounts or browsers. Website Tampering: Attackers can alter website content. User Misdirection: Attackers can modify instructions provided to users, misleading their behavior. Reputation Damage: Attackers can damage the enterprise’s reputation by tampering with the company website or spreading false information. References CVE VulnDB Discoverer Karina Gante