Portabilis i-Diario Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Portabilis i-Diario version 1.6. The issue arises in the 'Dicionário de Termos BNCC' page, specifically within the 'Planos de ensino' input field. The vulnerability allows users to inject arbitrary JavaScript, which is executed when the 'Planos de ensino por disciplina' or 'Planos de ensino por áreas do conhecimento' pages are accessed. This exploitation can be performed remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, navigate to the 'Dicionário de Termos BNCC' page and locate the 'Planos de ensino' input field. Insert a payload, such as an image tag with an 'onerror' event, into the field. Once the payload is saved, access the 'Planos de ensino por disciplina' or 'Planos de ensino por áreas do conhecimento' pages to trigger the injected script.