Portabilis i-Educar Cross-Site Scripting Vulnerability in FormulaMedia Module

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the FormulaMedia edit module, where user inputs in the nome and formulaMedia parameters are not properly validated or sanitized. This flaw allows for the injection of malicious scripts, which are stored on the server and executed in the context of the user when the page is accessed. The vulnerability can be exploited remotely, posing significant risks such as session hijacking, credential theft, and the introduction of malware.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the page. This could lead to session hijacking, theft of cookies and credentials, and the execution of malware.

Reproduction

To reproduce this vulnerability, access the '/module/FormulaMedia/edit' endpoint. Insert a payload, such as an image tag with an 'onerror' event, into the 'Nome' and 'Fórmula de média final' fields. After saving, the payload will be executed when the trigger page is accessed.