| 제목 | Portabilis i-Educar 2.9.0 Stored Cross Site Scripting |
|---|
| 설명 | Hello team!
A Stored XSS vulnerability was discovered in the “Deficiência ou Transtorno” field of the disabilities module in i-Educar. An authenticated attacker can inject malicious JavaScript, which will be executed when the listing page is viewed.
1 - Authentication:
Log in to i-Educar with valid credentials.
2 - Access the "Disability and Disorder Types" module:
Path:
Pessoas > Cadastro > Tipo > Tipo de deficiência e transtorno
URL: /intranet/educar_deficiencia_lst.php
3 - Create or Edit Entry:
Either create a new entry or edit an existing one.
4 - Edit the Vulnerable Field:
Go to: /intranet/educar_deficiencia_cad.php?cod_deficiencia=ID
5 - Insert Payload:
In the “Deficiência ou Transtorno” field, insert:
<script>alert('PoC VulDB i-Educar Pacxxx')</script>
6 - Save and Trigger:
The malicious code will execute when the listing page is accessed.
Recommendations & Mitigations
Input Sanitization: Reject or sanitize input that contains script or HTML elements.
Output Encoding: Properly encode all user input before rendering it in HTML.
|
|---|
| 원천 | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README16.md |
|---|
| 사용자 | RaulPACXXX (UID 84502) |
|---|
| 제출 | 2025. 06. 27. PM 07:23 (10 개월 ago) |
|---|
| 모더레이션 | 2025. 07. 19. AM 07:53 (22 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 316979 [Portabilis i-Educar 2.9.0 Disabilities educar_deficiencia_lst.php Deficiência ou Transtorno 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|