Portabilis i-Educar Cross-Site Scripting Vulnerability in educar_tipo_regime_cad.php

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the /intranet/educar_tipo_regime_cad.php file, specifically within the nm_tipo parameter. This vulnerability allows for the injection of malicious scripts, which are then executed in the context of the user accessing the page. The flaw can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the affected page. This could lead to session hijacking, credential theft, and the execution of malicious actions on behalf of the user.

Reproduction

To reproduce this vulnerability, access the /intranet/educar_tipo_regime_cad.php endpoint. Select the default option in the first field and insert a payload, such as a script injection, into the second field (labeled 'Nome Tipo'). After clicking 'Salvar', the trigger page (/intranet/educar_tipo_regime_lst.php) will be activated automatically, executing the injected script.