15/3/2019 - First warning email sent to email@example.com and firstname.lastname@example.org
15/3/2019 - Made a phone call and talked to Josť Fernandes
15/3/2019 - Reported to email@example.com, josť.firstname.lastname@example.org, email@example.com
not sure if the correct email had an accent in the "e" or not, so i sent to both xD
in the page:
If you check the source code, there is a line with:
<ArcGISSecurity url="https://digc.cm-lisboa.pt/DIGC/tokens" username="app_wsgeo" password="R3A4OTYhaHM=" expiration="1440" />
login page took a second to find:
tried, and guess what? succefully login as the admin.
I didn't understood what it was exacly but i got to create a administration token that granted me admin priviledges on the files without havint to login every single time. Should have invested more time in it before reporting it, maybe try to get rce via php shell upload or something.
Oh and the xss:
http://atendimentovirtual.cm-lisboa.pt/CMLMensagem.aspx?msg=<Image SrcSet=K */; OnError=confirm'1'//>