| शीर्षक | Portabilis i-Educar 2.9.0 Stored Cross Site Scripting |
|---|
| विवरण | Hello team!
This vulnerability allows an attacker to store malicious JavaScript in the "Motivo" field of the calendar module. The payload is then executed whenever the listing page is accessed, impacting all users with access to this module. This can lead to:
Session hijacking
Credential theft
Redirection to malicious websites
Full browser compromise depending on browser/plugins/extensions
1. Log in
Authenticate to the i-Educar platform using valid credentials.
2. Go to "Tipos de evento do calendário"
Access the calendário via:
Escola > Cadastro > Tipo > Calendário
/intranet/educar_calendario_dia_motivo_lst.php
4. Edit or Create an "Calendário Dia Motivo - Listagem"
Insert the XSS payload in the "Motivo" (nm_motivo) field:
<script>alert('PoC VulDB i-Educar PaCXXX')</script>
4. Save the Appointment
Click "Salvar".
5. Trigger the Payload
Reopen the page — the script will execute.
|
|---|
| स्रोत | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README18.md |
|---|
| उपयोगकर्ता | RaulPACXXX (UID 84502) |
|---|
| सबमिशन | 27/06/2025 09:04 PM (10 महीनों पहले) |
|---|
| संयम | 19/07/2025 07:53 AM (21 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 316981 [Portabilis i-Educar तक 2.10 Calendar educar_calendario_dia_motivo_cad.php Motivo/descricao क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|