Portabilis i-Educar Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar version 2.9.0, specifically within the Function Management Module. The issue arises in the file '/intranet/educar_funcao_det.php' when the 'Função' parameter is manipulated. This vulnerability allows authenticated attackers to inject malicious JavaScript, which is executed whenever a user accesses the affected function list.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log into i-Educar with valid credentials and navigate to the 'Servidores' module. Access the 'Funções' section and either create a new entry or edit an existing one. In the 'Função' field, insert a script payload, such as a JavaScript alert. Save the entry, and the injected script will execute when the function list is accessed.

Remediation

It is recommended to implement input sanitization to reject or neutralize script-containing input, and to properly encode all user input before rendering it in HTML.