Key Information Vulnerability Type Multiple Stored Cross-Site Scripting (XSS) Vulnerability Description Multiple stored cross-site scripting (XSS) vulnerabilities exist in the file. Attackers can inject malicious scripts via the and parameters. These scripts are stored on the server and automatically executed when the affected page is accessed by users. Vulnerability Details Vulnerable Endpoint: Parameters: , Trigger Page: Proof of Concept (PoC) 1. Access the vulnerable endpoint. 2. Insert payload in the field: . 3. Insert payload in the field: . 4. Click the "Salvar" button. 5. The trigger page will automatically activate, displaying alert popups. Impact Session Cookie Theft: Attackers can steal session cookies to hijack user sessions and perform actions on behalf of users. Malware Download: Attackers can trick users into downloading and installing malware. Browser Hijacking: Attackers can hijack users’ browsers or deliver browser-based exploits. Credential Theft: Attackers can steal user credentials. Sensitive Information Disclosure: Attackers can access sensitive information stored in user accounts or browsers. Website Defacement: Attackers can deface the website by modifying its content. User Misdirection: Attackers can alter instructions provided to users visiting the target site, misleading their behavior. Reputation Damage: Attackers can damage the enterprise’s reputation by defacing company websites or spreading false information.