Soumettre #629168: Portabilis i-diário 1.6 Cross Site Scriptinginformation

TitrePortabilis i-diário 1.6 Cross Site Scripting
DescriptionSummary The application fails to properly validate and sanatize user supplied input, hence leading to a stored cross-site scripting vulnerability that resides within the Planos de ensino input field on [_/dicionario-de-termos-bncc_](https://idiario.ieducar.com.br/dicionario-de-termos-bncc) Details While editing the Planos de ensino input field, which can be accessed at BNCC > Dicionário de Termos BNCC, it's possible to insert arbitrary javascript code which is then stored and executed once the user access the [Planos de ensino por disciplina](https://idiario.ieducar.com.br/planos-de-ensino-por-disciplina) and the [Planos de ensino por áreas do conhecimento](https://idiario.ieducar.com.br/planos-de-ensino-por-areas-de-conhecimento) pages. PoC Firstly, the Planos de ensino field was changed and the payload `"><img src=x onerror=alert('XSS-PoC')>` was inserted. image: https://github.com/FeMarb/CVEs/blob/main/images/bncc_dic.png Secondly, once the user access the _Planos de ensino por disciplina_ and the _Planos de ensino por áreas do conhecimento_ pages the payload was triggered. image: https://github.com/FeMarb/CVEs/blob/main/images/bncc_dic_res.png image: https://github.com/FeMarb/CVEs/blob/main/images/bncc_dic_res1.png **Affected endpoint =>/dicionario-de-termos-bncc Affected parameter => Planos de ensino** Impact - Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf. - Downloading malware: Attackers can trick users into downloading and installing malware on their computers. - Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits. - Stealing credentials: Attackers can steal a user's credentials. - Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser. - Defacing websites: Attackers can deface a website by altering its content. - Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior. - Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website. Discoverer ([Fernanda Martins](https://github.com/FeMarb/)) (founder) ([Natan Morette](https://br.linkedin.com/in/nmmorette/pt)) (coordinator) by [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)
La source⚠️ https://github.com/FeMarb/CVEs/blob/6eeefb2749bb6165557ed4664a0680456131e4de/I-diario/Cross-Site%20Scripting%20(XSS)%20Storage%20in%20endpoint%20_dicionario-de-termos-bncc%20parameter%20Planos%20de%20ensino%20input%20field.md
Utilisateur
 FeeMarb (UID 88589)
Soumission06/08/2025 02:02 (il y a 11 mois)
Modérer13/08/2025 12:53 (7 days later)
StatutAccepté
Entrée VulDB319879 [Portabilis i-Diario 1.6 Dicionário de Termos BNCC Page dicionario-de-termos-bncc Planos de ensino cross site scripting]
Points20

PrécédentAperçuSuivant

Might our Artificial Intelligence support you?

Check our Alexa App!