| Название | Portabilis i-Educar 2.9.0 Stored Cross Site Scripting |
|---|
| Описание | Hello team!
A stored XSS vulnerability was discovered in the i-Educar platform, specifically within the Turma module. An attacker can inject malicious JavaScript code into the "Class Type" (nm_tipo) field. This code is then stored in the database and executed in the browser of any user who visits the affected page, without further interaction.
Module: Turma (intranet/educar_turma_tipo_det.php?cod_turma_tipo=ID)
Vulnerable Field: Turma Tipo (nm_tipo)
???? Proof of Concept (PoC) Steps
1 - Log in Authenticate to the i-Educar platform using valid credentials.
2 - Go to " Início / Escola / Editar tipo de turma" Access the Turma via: Escola > Cadastro > Tipo > Turma > Tipo de Turma
/intranet/educar_turma_tipo_lst.php
3 - Edit or Create an "Turma Tipo"
Insert the XSS payload in the "Turma Tipo" (nm_tipo) field:
<script>alert('PoC VulDB i-Educar PaCXXX')</script>
4 - Click "Salvar"
5 - Trigger the Payload Reopen the page — the script will execute.
|
|---|
| Источник | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README19.md |
|---|
| Пользователь | RaulPACXXX (UID 84502) |
|---|
| Представление | 27.06.2025 21:40 (10 месяцы назад) |
|---|
| Модерация | 19.07.2025 07:53 (21 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 316982 [Portabilis i-Educar 2.9.0 Turma educar_turma_tipo_det.php?cod_turma_tipo=ID nm_tipo межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|