Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Portabilis i-Educar 2.8.0 is vulnerable to SQL Injection in the "getDocuments" function of the "InstituicaoDocumentacaoController" class. The "instituicao_id" parameter in "/module/Api/InstituicaoDocumentacao?oper=get&resource=getDocuments&instituicao_id" is not properly sanitized, allowing an unauthenticated remote attacker to inject malicious SQL commands.
AnalysisAI
Portabilis i-Educar 2.8.0 is vulnerable to SQL Injection in the "getDocuments" function of the "InstituicaoDocumentacaoController" class. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Portabilis i-Educar 2.8.0 is vulnerable to SQL Injection in the "getDocuments" function of the "InstituicaoDocumentacaoController" class. The "instituicao_id" parameter in "/module/Api/InstituicaoDocumentacao?oper=get&resource=getDocuments&instituicao_id" is not properly sanitized, allowing an unauthenticated remote attacker to inject malicious SQL commands. Affected products include: Portabilis I-Educar.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators
A reflected Cross-Site Scripting vulnerability in the standard documentation upload functionality in Portabilis i-Educar
A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar up to 2.9. Rated medium seve
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via
Reflected cross-site scripting in Portabilis i-Educar 2.9 allows remote attackers to inject arbitrary JavaScript via the
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote unauthenticated attackers to inject arbitr
Insecure inherited permissions in Portabilis i-Educar up to version 2.9.10 allow authenticated remote attackers to escal
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.10 allows remote unauthenticated attackers to inject arbit
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today