Key Information Vulnerability Overview CVE ID: CVE-2025-8541 Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected File: Parameter: Vulnerability Details Vulnerable Endpoint: Triggering Page: Description: The application fails to properly validate and sanitize user input in the parameter, allowing malicious scripts to be stored and automatically executed when the affected page is accessed. Proof of Concept (PoC) Steps: 1. Access the vulnerable endpoint. 2. Select "Brasil" in the first field ("Pais"). 3. Select any option in the second field ("Estado UF"). 4. Insert the payload in the third field ("Nome"). 5. Click the "Salvar" button; the triggering page will automatically activate. Payload: Impact Session Cookie Theft: Attackers can steal session cookies to hijack user sessions and perform actions on their behalf. Malware Download: Attackers can trick users into downloading and installing malware onto their computers. Browser Hijacking: Attackers can hijack users' browsers or deliver browser-based exploits. Credential Theft: Attackers can steal user credentials. Sensitive Information Disclosure: Attackers can access sensitive information stored in user accounts or browsers. Website Tampering: Attackers can alter website content. User Misdirection: Attackers can modify instructions provided to users, misleading their behavior. Reputation Damage: Attackers can damage the company's reputation by defacing the corporate website or spreading false information. References CVE VulDB Discoverer Karina Gante