Vulnerability Description
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A SQL Injection vulnerability was found prior to the 2.9 branch in the `ieducar/intranet/funcionario_vinculo_det.php` file, which creates the query by concatenating the unsanitized GET parameter `cod_func`, allowing the attacker to obtain sensitive information such as emails and password hashes. Commit 7824b95745fa2da6476b9901041d9c854bf52ffe fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Portabilis | I-Educar | <= 2.9 |
Related Weaknesses (CWE)
References
- https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_ShTechnical Description
- https://github.com/portabilis/i-educar/commit/7824b95745fa2da6476b9901041d9c854bPatch
- https://github.com/portabilis/i-educar/security/advisories/GHSA-2v4w-7xqr-hxmrExploitThird Party Advisory
- https://portswigger.net/web-security/sql-injectionTechnical Description
FAQ
What is CVE-2024-45059?
CVE-2024-45059 is a vulnerability with a CVSS score of 8.8 (HIGH). i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A SQL Injection vulnerability was found prior to the 2.9 br...
How severe is CVE-2024-45059?
CVE-2024-45059 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-45059?
Check the references section above for vendor advisories and patch information. Affected products include: Portabilis I-Educar.