Portabilis i-Educar Cross-Site Scripting Vulnerability in School Module

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar version 2.9.0, specifically within the School Module. The issue arises in the file '/intranet/educar_escola_lst.php', where the 'Escola' argument can be manipulated to inject JavaScript. This vulnerability can be exploited remotely and requires user interaction, as the injected script is executed when the page is accessed by a logged-in user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed automatically when the affected page is accessed.

Reproduction

To reproduce this vulnerability, log into i-Educar with valid credentials and navigate to the School Module. Access the 'Escola' list page and either create a new school entry or edit an existing one. In the 'Escola' field, insert a script payload, such as a JavaScript alert. After saving the entry, the script will execute each time the school list page is loaded.

Remediation

It is recommended to implement input sanitization to reject or neutralize script-containing input, properly encode user input before rendering it in HTML, and use XSS mitigation libraries such as OWASP Java Encoder, HTMLPurifier, or DOMPurify.