Key Information Vulnerability Type: Cross Site Scripting (XSS) Affected Product: Portabilis i-diário 1.6 Vulnerability Description: - The application fails to properly validate and sanitize user-provided input, leading to a stored cross-site scripting vulnerability. - The vulnerability exists in the input field, located on the page. Detailed Information: - When editing the input field, it can be accessed via BNCC > Dicionario de Termos BNCC. - Arbitrary JavaScript code can be inserted, which is stored and executed when users access the and pages. PoC: - First, modify the field and insert the payload: . - When users access the and pages, the payload is triggered. Affected Endpoint: Affected Parameter: Related Image Links: - https://github.com/FeMarb/CVEs/blob/main/images/bncc_dic.png - https://github.com/FeMarb/CVEs/blob/main/images/bncc_dic_res.png - https://github.com/FeMarb/CVEs/blob/main/images/bncc_dic_res1.png