| Título | Portabilis i-diario 1.5.0 Cross Site Scripting |
|---|
| Descripción | ### Summary
An attacker can upload a malicious SVG file containing embedded JavaScript that is executed when the file is accessed directly. This results in Stored Cross-Site Scripting (XSS).
### Details
The `justificativas-de-falta` endpoint allows users to upload files after upload a crafted svg the XSS could be trigger when open the file.
Payload:
```
<svg xmlns="http://www.w3.org/2000/svg" fill="none">
<script>
alert("This is an XSS-POC from CVEHUNTERS");
</script>
</svg>
```
### PoC
Create the file with the payload and upload in the `justificativas-de-falta` endpoint:
After that open the file to trigger the XSS
### Impact
- Exploitation of these vulnerabilities allows an attacker to inject and store malicious JavaScript code on the server, which will be executed for all users accessing the affected pages. This malicious code can:
- Steal sensitive user information (e.g., session cookies, authentication tokens),
- Redirect users to malicious sites,
- Manipulate the application's interface, enabling phishing attacks and other social engineering techniques,
- Compromise the application's integrity, causing potentially severe impacts to user experience and security
by [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)
|
|---|
| Fuente | ⚠️ https://github.com/nmmorette/vulnerability-research/tree/main/idiario |
|---|
| Usuario | nmmorette (UID 87361) |
|---|
| Sumisión | 2025-07-02 17:29 (hace 10 meses) |
|---|
| Moderación | 2025-07-19 07:53 (17 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 316983 [Portabilis i-Diario 1.5.0 justificativas-de-falta Endpoint Anexo secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 20 |
|---|