Portabilis i-Educar Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar version 2.9.0. The issue resides in the Curricular Components Module, specifically within the '/module/ComponenteCurricular/edit?id=ID' endpoint. The vulnerability is triggered by manipulating the 'Nome' parameter, allowing authenticated attackers to inject malicious scripts that are executed when the component list is accessed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected component.

Reproduction

To reproduce this vulnerability, log into i-Educar with valid credentials and navigate to the 'Escola' module. Access the 'Componentes Curriculares' section and either create a new entry or edit an existing one. In the 'Nome' field, insert a script payload, such as a JavaScript alert, and save the changes. The injected script will execute when the component list is accessed.

Remediation

It is recommended to implement input sanitization to reject or neutralize script-containing input, properly encode user input before rendering it in HTML, and use XSS mitigation libraries such as OWASP Java Encoder, HTMLPurifier, or DOMPurify.