Regularus3R

**Name of the Vulnerable Software and Affected Versions** Portabilis i-Educar versions up to 2.9 **Description** A problematic issue has been found in Portabilis i-Educar, affecting some unknown functionality of the file /usuarios/tipos/2 of the component Tipo de Usuário Page. The manipulation of the `name` argument leads to cross-site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Portabilis i-Educar versions up to 2.9, as a temporary workaround, consider restricting access to the /usuarios/tipos/2 file of the Tipo de Usuário Page component until a patch is available. Avoid using the `name` argument in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Portabilis i-Educar version 2.9 **Description** A reflected Cross-Site Scripting issue exists in the standard documentation upload functionality, allowing an attacker to craft malicious URLs with arbitrary javascript in the `titulo documento` parameter. This enables the manipulation of URLs to inject malicious scripts. **Recommendations** For Portabilis i-Educar version 2.9, as a temporary workaround, consider restricting access to the documentation upload functionality until a patch is available. Avoid using the `titulo documento` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.