Portabilis i-Diario Cross-Site Scripting Vulnerability in Registro das Atividades Component

A stored cross-site scripting vulnerability has been identified in Portabilis i-Diario versions through 1.5.0. The issue resides in the Registro das atividades component, specifically within the '/registros-de-conteudos-por-areas-de-conhecimento/[ID]' endpoint. The vulnerability allows for the injection of malicious scripts into multiple parameters, including 'Registro de atividades' and 'Conteúdos'. These injected scripts are stored on the server and executed automatically when the affected page is accessed, posing a significant security risk.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the page. This can lead to session hijacking, credential theft, and other malicious actions such as downloading malware or defacing websites.

Reproduction

To reproduce this vulnerability, insert a script payload into the 'Registro de atividades' or 'Conteúdos' parameters on the vulnerable endpoint. After saving the input, navigate to the 'Histórico' option to trigger the execution of the injected script.