Portabilis i-Educar Cross-Site Scripting Vulnerability in Calendar Annotation Management

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the file '/intranet/educar_calendario_anotacao_cad.php', where the 'nm_anotacao' and 'descricao' parameters are not properly validated or sanitized. This flaw allows attackers to inject malicious scripts that are stored on the server and executed in the context of users accessing the page, potentially compromising their data and systems.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, access the '/intranet/educar_calendario_ano_letivo_lst.php' endpoint and create a new calendar entry. Once the calendar is set up, navigate to the '/intranet/educar_calendario_anotacao_lst.php' page. Here, click on 'Nova Anotação' to create a new annotation. Inject a script payload into the 'Anotação' and 'Descrição' fields, then save the entry. The trigger page will automatically refresh, executing the injected script.