Primary

Context

Portabilis i-Educar Cross-Site Scripting Vulnerability in User Types Management

Vulnerability

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar version 2.10. The issue resides in the 'tipos/novo' endpoint, where user input in the 'name' and 'description' fields is not properly validated or sanitized. This allows attackers to inject malicious scripts that are stored on the server and executed in the context of users accessing the 'tipos' page. The vulnerability can be exploited remotely, but requires authentication and user interaction.

Impact

Exploitation of this vulnerability allows for multiple stored cross-site scripting impacts, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'tipos/novo' endpoint. Insert a payload, such as an image tag with an 'onerror' event, into the 'Tipo de Usuário' and 'Descrição' fields. After saving, the injected script will execute when the 'tipos' page is accessed.

Added: Aug 5, 2025, 1:17 AM

Updated: Aug 5, 2025, 1:17 AM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

5.4

exploitability

6.3

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

5.4

exploitability

6.3

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Portabilis i-Educar Cross-Site Scripting Vulnerability in User Types Management

Vulnerability

Impact

Reproduction

Affected Products

Portabilis i-Educar

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating