i-Educar Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in i-Educar version 2.9. The issue arises because the application does not properly validate and sanitize user input, particularly in the user type (Tipo de Usuário) field. This vulnerability allows a malicious user to inject arbitrary JavaScript, which is then executed when another user views the page, potentially leading to unauthorized information access or other malicious actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, navigate to the user type management section. Edit a user type and insert a payload containing JavaScript, such as an image tag with an error event handler. Once the payload is saved and the page is revisited, the injected script will execute.

Remediation

To address this vulnerability, ensure proper input validation and sanitization. In PHP, using 'htmlentities' to parse user input can help mitigate cross-site scripting risks.