Portabilis i-Educar Stored Cross-Site Scripting Vulnerability in Disabilities Module

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar version 2.9.0, specifically within the Disabilities Module. The issue arises in the file '/intranet/educar_deficiencia_lst.php', where the 'Deficiência ou Transtorno' argument can be manipulated to inject malicious scripts. This vulnerability can be exploited remotely, and an available proof-of-concept exploit demonstrates its feasibility.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log into i-Educar with valid credentials and navigate to the 'Disability and Disorder Types' module. Create a new entry or edit an existing one, and insert a script payload into the 'Deficiência ou Transtorno' field. Once saved, the injected script will execute when the listing page is accessed.

Remediation

It is recommended to implement input sanitization to reject or clean up any input containing scripts or HTML elements, and to properly encode user input before displaying it in HTML.