Portabilis i-Diario Cross-Site Scripting Vulnerability in History Page Component
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Diario versions through 1.6. The issue arises in the History Page component, specifically within the '/objetivos-de-aprendizagem-e-habilidades' file. The vulnerability is triggered by manipulating the 'código' and 'objetivo_habilidade' input fields, which can be accessed through the BNCC > Objetivos de aprendizagem e habilidades menu. This flaw allows for the injection of arbitrary JavaScript, which is stored and executed when the History page is accessed.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, navigate to the 'Objetivos de aprendizagem e habilidades' section. Edit the 'código' and 'objetivo/habilidade' input fields by inserting a script payload, such as an image tag with an 'onerror' event. Once the payload is saved, access the 'History' page to trigger the script execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.