| タイトル | Portabilis i-diario 1.5.0 Cross Site Scripting (XSS) Stored |
|---|
| 説明 | Cross-Site Scripting (XSS) Stored endpoint '.planos-de-ensino-por-disciplina.(ID)' in multiples parameters
### Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/planos-de-ensino-por-disciplina/[ID]` endpoint of the i-diario application. This vulnerability allows attackers to inject malicious scripts into `multiples parameters`. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.
### Details
Vulnerable Endpoint: `POST /planos-de-ensino-por-disciplina/[ID] `
Parameter: `Parecer, Conteúdos, Objetivos`
The application fails to properly validate and sanitize user inputs in the `Parecer, Conteúdos, Objetivos` parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.
### PoC
Payload: `"><script>alert('XSS-PoC')</script>`
1 - Insert the payload in the Parecer parameter.
2 - Save it
3 - Go to the option "Histórico"
![[Pasted image 20250702002209.png]]
The result:
![[Pasted image 20250702002235.png]]
The request:
![[Pasted image 20250702002314.png]]
### Impact
- Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
- Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
- Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
- Stealing credentials: Attackers can steal a user's credentials.
- Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
- Defacing websites: Attackers can deface a website by altering its content.
- Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
- Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website. |
|---|
| ソース | ⚠️ https://github.com/marcelomulder/CVE/blob/main/i-diario/Stored%20XSS%20endpoint%20planos-de-ensino-por-disciplina.(ID)%20in%20multiples%20parameters.md |
|---|
| ユーザー | marceloQz (UID 87549) |
|---|
| 送信 | 2025年08月02日 22:12 (11 月 ago) |
|---|
| モデレーション | 2025年08月17日 22:38 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 320428 [Portabilis i-Diario 迄 1.5.0 Informações Adicionais Page planos-de-ensino-por-disciplina Parecer/Conteúdos/Objetivos クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|