Jetimob Plataforma Imobiliaria Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Jetimob Plataforma Imobiliaria version 20240627-0. The issue arises in the 'Busca' (search) function, specifically within the filter Save option. Here, the 'Título' (title) field allows the injection of JavaScript, which is then executed when the filter is applied or deleted, via a confirmation window that displays the injected payload.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, navigate to the 'Busca' (search) function and access the filter Save option. In the 'Título' (title) field, inject a JavaScript payload, such as an image tag with an error event handler, designed to execute JavaScript when the image fails to load. Once the payload is saved, it will be executed either when the filter is created or when attempting to delete it, as the deletion confirmation window will display the injected script.