Portabilis i-Diario Cross-Site Scripting Vulnerability in Informações Adicionais Page
Vulnerability
A stored cross-site scripting vulnerability has been identified in Portabilis i-Diario versions through 1.5.0. The issue resides in the Informações Adicionais Page, specifically within the '/planos-de-ensino-por-areas-de-conhecimento/' endpoint. The vulnerability is triggered by manipulating the 'Parecer', 'Conteúdos', and 'Objetivos' parameters, allowing attackers to inject malicious scripts that are stored on the server and executed in the context of the user accessing the page.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page. This could lead to session hijacking, credential theft, and other impacts associated with cross-site scripting vulnerabilities.
Reproduction
To reproduce this vulnerability, send a POST request to the '/planos-de-ensino-por-areas-de-conhecimento[ID]' endpoint, replacing '[ID]' with the appropriate identifier. Include a script payload in the 'Parecer' parameter. After saving the input, navigate to the 'Histórico' option to trigger the execution of the injected script.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.