Portabilis i-Educar Cross-Site Scripting Vulnerability in the Editar Função Page

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the Editar Função Page, specifically within the 'educar_funcao_cad.php' file. The vulnerability is triggered by manipulating the 'abreviatura' and 'tipoacao' parameters, allowing for the injection of malicious scripts that are executed in the context of the user viewing the affected entry. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log into the i-Educar application with an account that has permission to create or edit function entries. Navigate to 'Servidores > Cadastros > Tipos > Funções' and select 'Add' to create a new function or 'Edit' to modify an existing one. In the 'Abreviatura' and 'Tipo Ação' fields, insert a payload such as a script tag or an SVG image with an 'onload' event. After saving the entry, the injected script will execute immediately in the browser, confirming the presence of the vulnerability. To trigger the XSS in the 'tipoacao' parameter, the payload must be sent directly through the request after editing the corresponding field.