CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS
Percentile
17.7%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the dynamic generation of HTML fields prior to the 2.9 branch. The file located at ieducar/intranet/include/clsCampos.inc.php
does not properly validate or sanitize user-controlled input, leading to the vulnerability. Any page that uses this implementation is vulnerable, such as intranet/educar_curso_lst.php?nm_curso=<payload>
, intranet/atendidos_lst.php?nm_pessoa=<payload>
, intranet/educar_abandono_tipo_lst?nome=<payload>
. Commit f2d768534aabc09b2a1fc8a5cc5f9c93925cb273 contains a patch for the issue.
[
{
"cpes": [
"cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:*"
],
"vendor": "portabilis",
"product": "i-educar",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom",
"lessThanOrEqual": "2.9"
}
],
"defaultStatus": "unknown"
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS
Percentile
17.7%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial