Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2024-45059

Disclosure Date: August 28, 2024
CVE-2024-45059 CVSS v3 Base Score: 8.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A SQL Injection vulnerability was found prior to the 2.9 branch in the ieducar/intranet/funcionario_vinculo_det.php file, which creates the query by concatenating the unsanitized GET parameter cod_func, allowing the attacker to obtain sensitive information such as emails and password hashes. Commit 7824b95745fa2da6476b9901041d9c854bf52ffe fixes the issue.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
i-educar < 2.9
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • portabilis

Products

  • i-educar
Technical Analysis