Portabilis i-Educar Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the '/usuarios/tipos/(ID)' endpoint, where the 'Tipos de Usuário' and 'Descrição' fields are vulnerable to script injection. This vulnerability allows attackers to inject malicious scripts that are stored on the server and executed in the browsers of users who access the affected entries.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content. This can lead to session hijacking, credential theft, malware delivery, privilege escalation, content manipulation, and reputation damage.

Reproduction

To reproduce this vulnerability, log into the i-Educar application with an account that has permission to create or edit user types. Navigate to 'Configurações > Permissões > Tipos de Usuário' and select an existing user type to edit or create a new one. In the 'Tipos de Usuário' and 'Descrição' fields, insert a script payload, such as a script tag including JavaScript code, and save the changes. The injected script will execute immediately, confirming the presence of the vulnerability.