Portabilis i-Diario Cross-Site Scripting Vulnerability in Informações Adicionais Component

A stored cross-site scripting vulnerability has been identified in Portabilis i-Diario versions through 1.5.0. The issue resides in the '/planos-de-aula-por-areas-de-conhecimento/[ID]' endpoint, specifically within the 'Parecer', 'Conteúdos', and 'Objetivos' parameters. The application fails to properly validate and sanitize user inputs, allowing attackers to inject malicious scripts that are stored on the server and executed in the context of the user accessing the page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page. This could lead to session hijacking, downloading of malware, browser hijacking, credential theft, exposure of sensitive information, website defacement, misdirection of users, and damage to a business's reputation.

Reproduction

To reproduce this vulnerability, send a POST request to the '/planos-de-aula-por-areas-de-conhecimento/[ID]' endpoint. Include a script payload in the 'Parecer' parameter. After saving the input, navigate to the 'Histórico' option to trigger the execution of the injected script.