Portabilis i-Educar Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar version 2.9.0, specifically within the Course Module. The issue arises in the file '/intranet/educar_curso_det.php?cod_curso=ID', where the 'Curso' parameter can be manipulated to inject JavaScript. This injected script is executed when the course list is paginated and viewed by authenticated users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into i-Educar with valid credentials and navigate to the 'Curso' module. Create or edit a 'Curso' entry by accessing the 'Curso' creation or editing page. In the 'Curso' field, insert a script payload, such as an alert script. After saving the entry, navigate through the course records to trigger the execution of the injected script.

Remediation

It is recommended to implement input sanitization to reject or neutralize script-containing input, properly encode user input before rendering it in HTML, and use XSS mitigation libraries such as OWASP Java Encoder, HTMLPurifier, or DOMPurify.