Portabilis i-Educar Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the User Data Page component, specifically within the file '/intranet/meusdadod.php'. The vulnerability is triggered by manipulating the 'file' parameter, allowing the injection of malicious JavaScript that is executed when the file is accessed. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to session hijacking, account takeover, phishing attacks, persistent exploitation, and damage to reputation and user trust.

Reproduction

To reproduce this vulnerability, navigate to the user data page '/intranet/meusdadod.php'. Upload a new avatar photo and capture the request. Insert the payload, which consists of a SVG image containing a script tag with JavaScript, into the file section. The cross-site scripting will be triggered when someone opens the user profile picture URL.