| タイトル | Portabilis i-diário 1.6 Cross Site Scripting |
|---|
| 説明 | Summary
The application fails to properly validate and sanatize user supplied input, hence leading to a stored cross-site scripting vulnerability that resides within the _código_ and _objetivo/habilidade_ input fields on [/objetivos-de-aprendizagem-e-habilidades](https://idiario.ieducar.com.br/objetivos-de-aprendizagem-e-habilidades).
Details
While editing the _código_ and _objetivo/habilidade_ input fields, which can be accessed at BNCC > Objetivos de aprendizagem e habilidades, it's possible to insert arbitrary javascript code which is then stored and executed once the user access the [History](https://idiario.ieducar.com.br/objetivos-de-aprendizagem-e-habilidades/1402/historico) page.
PoC
Firstly, the _código_ and _objetivo/habilidade_ field was changed and the payload `"><img src=x onerror=alert('XSS-PoC')>` was inserted.
image: https://github.com/FeMarb/CVEs/blob/main/images/bncc_obj_pay1.png
image: https://github.com/FeMarb/CVEs/blob/main/images/bncc_obj_pay.png
image: https://github.com/FeMarb/CVEs/blob/main/images/bncc_obj.png
image: https://github.com/FeMarb/CVEs/blob/main/images/bncc_obj_res1.png
Secondly, once the user access the [History](https://idiario.ieducar.com.br/objetivos-de-aprendizagem-e-habilidades/1402/historico) page the payload was triggered.
image: https://github.com/FeMarb/CVEs/blob/main/images/bncc_obj_res.png
**Affected endpoint =>/objetivos-de-aprendizagem-e-habilidades**
**Affected parameter => Código and Objetivo/Habilidade**
Impact
- Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
- Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
- Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
- Stealing credentials: Attackers can steal a user's credentials.
- Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
- Defacing websites: Attackers can deface a website by altering its content.
- Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
- Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.
Discoverer
([Fernanda Martins](https://github.com/FeMarb/)) (founder)
([Natan Morette](https://br.linkedin.com/in/nmmorette/pt)) (coordinator)
by [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)
|
|---|
| ソース | ⚠️ https://github.com/FeMarb/CVEs/blob/6eeefb2749bb6165557ed4664a0680456131e4de/I-diario/Cross-Site%20Scripting%20(XSS)%20Storage%20in%20endpoint%20_objetivos-de-aprendizagem-e-habilidades%20parameters%20c%C3%B3digo%20and%20objetivo_habilidade%20input%20fiel |
|---|
| ユーザー | FeeMarb (UID 88589) |
|---|
| 送信 | 2025年08月06日 01:54 (11 月 ago) |
|---|
| モデレーション | 2025年08月13日 12:53 (7 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 319878 [Portabilis i-Diario 迄 1.6 History Page objetivos-de-aprendizagem-e-habilidades código/objetivo habilidade クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|