Key Information Vulnerability Type Cross-Site Scripting (XSS): Stored XSS Vulnerability Description A stored XSS vulnerability was discovered in the endpoint. Attackers can inject malicious scripts via multiple parameters; these scripts are stored on the server and automatically executed when users access the affected page. Vulnerability Details Affected Endpoint: POST Parameters: Parecer, Conteudos, Objetivos The application fails to properly validate and sanitize user input, allowing attackers to inject malicious scripts. Proof of Concept (PoC) Payload: Steps: 1. Insert the payload into the Parecer parameter. 2. Save the data. 3. Access the "Histórico" option. Impact Session Cookie Theft: Attackers can steal session cookies to hijack user sessions and perform actions on behalf of users. Malware Download: Attackers can trick users into downloading and installing malware. Browser Hijacking: Attackers can hijack users’ browsers or deliver browser-based exploits. Credential Theft: Attackers can steal user credentials. Sensitive Information Disclosure: Attackers can access sensitive information stored in user accounts or browsers. Website Defacement: Attackers can alter content to deface the website. User Misdirection: Attackers can modify instructions provided by the target website to mislead user behavior. Reputation Damage: Attackers can damage the company’s reputation by defacing the corporate website or spreading false information. References CVE-2025-8788 VuInDB-319316 i-diario - Official Repository Discoverer Marcelo Queiroz CVE-Hunters