| タイトル | Portabilis i-diario 1.5.0 Cross Site Scripting |
|---|
| 説明 | ### Summary
An attacker can upload a malicious SVG file containing embedded JavaScript that is executed when the file is accessed directly. This results in Stored Cross-Site Scripting (XSS).
### Details
The `justificativas-de-falta` endpoint allows users to upload files after upload a crafted svg the XSS could be trigger when open the file.
Payload:
```
<svg xmlns="http://www.w3.org/2000/svg" fill="none">
<script>
alert("This is an XSS-POC from CVEHUNTERS");
</script>
</svg>
```
### PoC
Create the file with the payload and upload in the `justificativas-de-falta` endpoint:
After that open the file to trigger the XSS
### Impact
- Exploitation of these vulnerabilities allows an attacker to inject and store malicious JavaScript code on the server, which will be executed for all users accessing the affected pages. This malicious code can:
- Steal sensitive user information (e.g., session cookies, authentication tokens),
- Redirect users to malicious sites,
- Manipulate the application's interface, enabling phishing attacks and other social engineering techniques,
- Compromise the application's integrity, causing potentially severe impacts to user experience and security
by [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)
|
|---|
| ソース | ⚠️ https://github.com/nmmorette/vulnerability-research/tree/main/idiario |
|---|
| ユーザー | nmmorette (UID 87361) |
|---|
| 送信 | 2025年07月02日 17:29 (10 月 ago) |
|---|
| モデレーション | 2025年07月19日 07:53 (17 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 316983 [Portabilis i-Diario 1.5.0 justificativas-de-falta Endpoint Anexo クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|