Portabilis i-Diario Cross-Site Scripting Vulnerability in Justificativas-de-Falta Endpoint
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Diario version 1.5.0. This issue arises in the justificativas-de-falta endpoint, where the Anexo argument can be manipulated to inject malicious scripts. The vulnerability can be exploited remotely, and a public exploit is available.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed when the affected file is accessed. This could lead to theft of sensitive information such as session cookies or authentication tokens, manipulation of the application's interface, and general compromise of the application's integrity.
Reproduction
To reproduce this vulnerability, upload a crafted SVG file containing a script payload to the justificativas-de-falta endpoint. Once the file is uploaded, accessing it will trigger the execution of the embedded JavaScript, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.