Key Information Vulnerability Type Cross-Site Scripting (XSS) Storage Affected Endpoints and Parameters Affected Endpoint: Affected Parameter: Planos de ensino Vulnerability Details The application fails to properly validate and sanitize user input, leading to a stored cross-site scripting vulnerability. When editing the input field, arbitrary JavaScript code can be inserted. This code is stored and executed when users access the and pages. PoC (Proof of Concept) 1. Modify the field and insert payload: . 2. The payload is triggered when users access the relevant pages. Impact Session Cookie Theft: Attackers can steal session cookies to hijack user sessions and perform actions on their behalf. Malware Download: Attackers can trick users into downloading and installing malware. Browser Hijacking: Attackers can hijack users’ browsers or deliver browser-based exploits. Credential Theft: Attackers can steal user credentials. Sensitive Information Disclosure: Attackers can access sensitive information stored in user accounts or browsers. Website Tampering: Attackers can alter website content. User Misdirection: Attackers can modify instructions for users visiting the target site, misleading their behavior. Reputation Damage: Attackers can damage the enterprise’s reputation by tampering with the company’s website or spreading false information. Discoverers Fernanda Martins (Founder) Natan Morette (Coordinator) Supported by CVE-Hunters