Realce Tecnologia Queue Ticket Kiosk Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Realce Tecnologia Queue Ticket Kiosk versions prior to 20250517. The issue resides in the Cadastro de Administrador Page, specifically within the /adm/index.php file. The vulnerability is triggered by manipulating the Name/Usuário argument, allowing the injection of malicious scripts that are executed when the user list or profile is accessed. This exploitation requires administrative privileges and user interaction.

Impact

Exploitation of this vulnerability allows injected scripts to be executed in the context of the user viewing the affected page, potentially leading to session hijacking, data theft, or privilege escalation.

Reproduction

To reproduce this vulnerability, an administrator must create a new user through the admin user creation page. During this process, the Name field can be filled with JavaScript payloads. Once the user is created, the injected script will execute whenever the user list or profile is viewed.