Key Information Vulnerability Type Stored Cross-Site Scripting (XSS) Vulnerable Location Vulnerable Endpoint: Parameter: Vulnerability Details The application fails to properly validate and sanitize user input in the parameter, allowing attackers to inject malicious scripts that are stored on the server. When the affected page is accessed, the malicious script automatically executes in the user's browser. Proof of Concept (PoC) Payload: This payload is submitted via the parameter and persists within the application interface. Upon accessing the affected page, the payload is rendered and executed in the browser, confirming the presence of a stored XSS vulnerability. Impact Stealing session cookies: Attackers can hijack user sessions and perform actions on behalf of users. Delivering malware: Users may be tricked into downloading and executing malicious software. Hijacking browsers: Full control over the user’s browser via JavaScript execution. Credential theft: Theft of usernames, passwords, and other sensitive information. Exposing sensitive data: Access to data stored in the application or browser. Website defacement: Altering the content of web pages viewed by users. User redirection: Redirecting victims to phishing or malicious websites. Damaging business reputation: Loss of trust if users are attacked through the application. References CVE-2025-8784 VulnDB-31912 I-Educar - Official Repository Discoverer Marcelo Queiroz by CVE-Hunters