Portabilis i-Diario Cross-Site Scripting Vulnerability in Version 1.5.0
Vulnerability
A reflected cross-site scripting vulnerability has been identified in Portabilis i-Diario version 1.5.0. This issue affects the '/conteudos' endpoint, specifically the 'filter[by_description]' parameter. The vulnerability arises because the application does not properly validate and sanitize user inputs, allowing attackers to inject malicious scripts that are executed in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the victim's browser. This could lead to theft of cookies, session hijacking, or other malicious actions under the user's identity.
Reproduction
To reproduce this vulnerability, send a request to the '/conteudos' endpoint with a crafted 'filter[by_description]' parameter that includes a malicious script payload, such as an image tag with an 'onerror' event. The injected script will be executed in the browser, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.