i-Educar 2.10.0 - Stored Cross-Site Scripting (XSS) in admin panel

Description

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the educar_usuario_cad.php endpoint of the i-Educar application. The issue arises because the matricula_interna parameter is not sanitized before being stored in the database. Malicious scripts injected into this field persist in the system and are executed whenever the affected record is displayed in the web interface, leading to a persistent client-side compromise.

Vulnerability

The application fails to properly validate or encode user input in the Matrícula Interna field (matricula_interna). An attacker can inject arbitrary JavaScript code into this field, which is stored in the backend database. Whenever the admin later views the affected record, the malicious payload executes in their browser context.

It is important to note that this vulnerability works from admin to admin. Administrator permissions are required, and it only affects other users with access to the administrative panel.

PoC

><svg/onload=alert(16)

Steps to reproduce:

1. Log in with an account that can create or edit users.

2. Navigate to Configurações → Permissões → Usuários

3. Create a new user or edit an existing one.

4. In the Matrícula Interna field, insert the payload

5. Save changes.

6. Open the affected user record.

7. The payload executes immediately, confirming the stored XSS.

Evidence of Exploitation

Our security policy

We have reserved the ID CVE-2025-9638 to refer to this issue from now on.

Disclosure policy

System Information

• i-Educar

• Version 2.10.0

• Operating System: Any

References

• Github Repository: https://github.com/portabilis/i-educar

• Security: https://github.com/portabilis/i-educar/security

Credits

The vulnerability was discovered by Marcelo Queiroz, an independent security researcher.