关键信息 漏洞标题 Portabilis i-diario 1.5.0 Cross Site Scripting 描述 Summary: - An attacker can upload a malicious SVG file containing embedded JavaScript that is executed when the file is accessed directly. This results in Stored Cross-Site Scripting (XSS). Full Details: - The justificativas-de-faltas endpoint allows users to upload files. After uploading a crafted SVG file, XSS could be triggered when opening the file. Payload 示例 PoC 步骤 Create the file with the payload and upload it in the justificativas-de-faltas endpoint. After just open the file to trigger the XSS. 影响 Allows attackers to execute arbitrary JavaScript code on the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.