| 제목 | Portabilis i-Educar 2.9.0 Stored Cross Site Scripting |
|---|
| 설명 | A stored XSS vulnerability was identified in the i-Educar system within the Agenda module. Authenticated users can inject malicious JavaScript code into the agenda_rap_titulo/novo_titulo (Title) field of a scheduled appointment. Once saved, the malicious payload is stored in the system's database and is executed every time the Agenda page is viewed by any user, including administrators.
1 - Log in to the i-Educar platform with valid credentials.
2 - Navigate to:
Pessoas > Agenda or directly to /intranet/agenda.php
3 - Click to edit or create a new appointment.
4 - In the Title field (agenda_rap_titulo), insert the payload:
<script>alert('PoC VulDB i-Educar PaCXXX')</script>
5 - Click Salvar Alterações.
6 - Reload the Agenda page to trigger the payload execution.
Impact:
Persistent client-side code execution
Potential session hijacking
Redirects or phishing attacks
Access to user data within session scope |
|---|
| 원천 | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README17.md |
|---|
| 사용자 | RaulPACXXX (UID 84502) |
|---|
| 제출 | 2025. 06. 27. PM 07:42 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 07. 19. AM 07:53 (22 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 316980 [Portabilis i-Educar 2.9.0/2.10.0 Agenda /intranet/agenda.php novo_titulo/novo_descricao 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|