Submit #604879: Portabilis i-Educar 2.9.0 Stored Cross Site Scriptinginfo

TitlePortabilis i-Educar 2.9.0 Stored Cross Site Scripting
DescriptionHello team! A Stored XSS vulnerability was identified in the “Nome” field within the Curricular Components module of i-Educar. An authenticated attacker can inject malicious JavaScript that will be executed each time the component list is accessed. Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Application: i-Educar Vulnerable Endpoint: /module/ComponenteCurricular/edit?id=ID Vulnerable Parameter: “Nome” field (stored via /intranet/educar_componente_curricular_lst.php) PoC Step-by-Step 1 - Authentication: Log in to i-Educar with valid credentials. 2 - Access the "Escola" module: Navigate to: Escola > Cadastro > Componentes Curriculares URL: /intranet/educar_componente_curricular_lst.php 3 - Create or Edit "Componentes curriculares" Entry: Either create a new "Componentes curriculares" or edit an existing one. 4 - Edit Vulnerable Field "Nome": Go to: module/ComponenteCurricular/edit?id=ID image 5 - Insert Payload: In the “Nome” field, insert: <script>alert('PoC VulDB i-Educar Pacxxx')</script> 6 - Save and Trigger: image Recommendations & Mitigations Input Sanitization: Reject or neutralize input containing scripts or HTML. Output Encoding: Properly encode all user input before rendering in HTML. Use of XSS Mitigation Libraries: Tools like OWASP Java Encoder, HTMLPurifier, or DOMPurify should be employed.
Source⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README15.md
User
 RaulPACXXX (UID 84502)
Submission06/27/2025 02:45 (10 months ago)
Moderation07/06/2025 07:41 (9 days later)
StatusAccepted
VulDB entry315024 [Portabilis i-Educar 2.9.0 Curricular Components edit?id=ID Nome cross site scripting]
Points20

PreviousOverviewNext