Portabilis i-Diario Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Portabilis i-Diario version 1.5.0. This issue affects the '/diario-de-observacoes/[ID]' endpoint, specifically the 'Observações > Descrição' parameter. The vulnerability arises because the application does not properly validate or sanitize user inputs in this parameter, allowing attackers to inject malicious scripts. These scripts are stored on the server and executed automatically when the affected page is accessed, potentially compromising users' data and systems.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page. This could lead to session hijacking, downloading of malware, browser hijacking, credential theft, exposure of sensitive information, website defacement, misdirection of users, and damage to a business's reputation.

Reproduction

To reproduce this vulnerability, insert a script payload into the 'Observações > Descrição' parameter and save it. Then, access the 'Histórico' option to trigger the execution of the injected script.