I Educar
Monthly
i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Insecure inherited permissions in Portabilis i-Educar up to version 2.9.10 allow authenticated remote attackers to escalate privileges through the User Type Handler component in AccessLevelController.php, potentially gaining unauthorized access to protected functionality. The vulnerability requires valid login credentials (PR:L) but carries low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists, though EPSS score of 0.06% (19th percentile) suggests limited real-world exploitation despite public disclosure.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the descricao parameter in /intranet/educar_escolaridade_lst.php, requiring user interaction to execute. The vulnerability has a low CVSS score of 2.1 and EPSS exploitation probability of 0.11%, but publicly available exploit code exists and the vendor did not respond to early disclosure.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the titulo_avaliacao parameter in /intranet/educar_avaliacao_desempenho_lst.php. The vulnerability requires user interaction (clicking a malicious link) but has a low CVSS score of 2.1 and a minimal EPSS exploitation probability of 0.11%, placing it in the 29th percentile. Publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Reflected cross-site scripting in Portabilis i-Educar 2.9 allows remote attackers to inject arbitrary JavaScript via the campo_busca and cpf parameters in /intranet/pesquisa_pessoa_lst.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, or defacement of educational records. Publicly available exploit code exists; the vendor did not respond to disclosure.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the 'nome' parameter in /intranet/funcionario_vinculo_lst.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and unauthorized administrative actions. Public exploit code is available, though EPSS probability remains low at 0.11% percentile, suggesting limited real-world exploitation despite disclosure.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote unauthenticated attackers to inject arbitrary JavaScript via the nome or matricula_servidor parameters in /intranet/educar_servidor_lst.php. The vulnerability requires user interaction (clicking a malicious link) and has low confidentiality impact but can lead to session hijacking or credential theft. Publicly available exploit code exists, though exploitation likelihood remains low (EPSS 0.11%) due to user interaction requirement and limited real-world impact surface.
Stored cross-site scripting (XSS) in Portabilis i-Educar 2.10 via the atendidos_cad.php file allows authenticated remote attackers with user interaction to inject malicious scripts through the nome, nome_social, or email parameters, resulting in minor integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.10 allows remote unauthenticated attackers to inject arbitrary JavaScript via the ref_cod_matricula parameter in /educar_aluno_lst.php, affecting users who click malicious links. The vulnerability has publicly available exploit code and a low CVSS score (2.1) due to requirement for user interaction, but represents a typical web application flaw in educational management systems with potential for credential theft or session hijacking.
Stored cross-site scripting in Portabilis i-Educar 2.9.0 allows authenticated remote attackers to inject malicious scripts via the nm_tipo parameter in the Turma Module administrative interface. The vulnerability requires user interaction and affects the integrity of application data. Publicly available exploit code exists, and the vendor has not responded to disclosure.
Stored cross-site scripting in Portabilis i-Educar up to version 2.10 allows authenticated remote attackers to inject malicious scripts via the Motivo/descricao parameter in the Calendar Module (/intranet/educar_calendario_dia_motivo_cad.php), requiring user interaction to execute. Public exploit code is available and the vendor has not responded to disclosure attempts despite early notification.
Stored cross-site scripting (XSS) vulnerability in Portabilis i-Educar 2.9.0 and 2.10.0 allows authenticated users to inject malicious scripts via the novo_titulo and novo_descricao parameters in the Agenda Module (/intranet/agenda.php), which are then executed in the browsers of other users viewing the affected content. The vulnerability requires user interaction (victim must view the crafted agenda entry) and authenticated access, resulting in a low-severity impact with an EPSS exploitation probability of 0.06% percentile 19. Public exploit code is available, though vendor did not respond to early disclosure notification.
Stored cross-site scripting (XSS) in Portabilis i-Educar 2.9.0 allows authenticated users to inject malicious scripts via the 'Deficiência ou Transtorno' parameter in the Disabilities Module (/intranet/educar_deficiencia_lst.php), affecting other users who view the injected content. The vulnerability requires user interaction (victim must view the page) and authenticated access, limiting its severity to reflected/stored XSS with user-level privileges. Public exploit code exists, but active exploitation has not been confirmed in CISA KEV, and the vendor has not responded to disclosure.
i-Educar is free, fully online school management software. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Insecure inherited permissions in Portabilis i-Educar up to version 2.9.10 allow authenticated remote attackers to escalate privileges through the User Type Handler component in AccessLevelController.php, potentially gaining unauthorized access to protected functionality. The vulnerability requires valid login credentials (PR:L) but carries low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists, though EPSS score of 0.06% (19th percentile) suggests limited real-world exploitation despite public disclosure.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the descricao parameter in /intranet/educar_escolaridade_lst.php, requiring user interaction to execute. The vulnerability has a low CVSS score of 2.1 and EPSS exploitation probability of 0.11%, but publicly available exploit code exists and the vendor did not respond to early disclosure.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the titulo_avaliacao parameter in /intranet/educar_avaliacao_desempenho_lst.php. The vulnerability requires user interaction (clicking a malicious link) but has a low CVSS score of 2.1 and a minimal EPSS exploitation probability of 0.11%, placing it in the 29th percentile. Publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Reflected cross-site scripting in Portabilis i-Educar 2.9 allows remote attackers to inject arbitrary JavaScript via the campo_busca and cpf parameters in /intranet/pesquisa_pessoa_lst.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, or defacement of educational records. Publicly available exploit code exists; the vendor did not respond to disclosure.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the 'nome' parameter in /intranet/funcionario_vinculo_lst.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and unauthorized administrative actions. Public exploit code is available, though EPSS probability remains low at 0.11% percentile, suggesting limited real-world exploitation despite disclosure.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote unauthenticated attackers to inject arbitrary JavaScript via the nome or matricula_servidor parameters in /intranet/educar_servidor_lst.php. The vulnerability requires user interaction (clicking a malicious link) and has low confidentiality impact but can lead to session hijacking or credential theft. Publicly available exploit code exists, though exploitation likelihood remains low (EPSS 0.11%) due to user interaction requirement and limited real-world impact surface.
Stored cross-site scripting (XSS) in Portabilis i-Educar 2.10 via the atendidos_cad.php file allows authenticated remote attackers with user interaction to inject malicious scripts through the nome, nome_social, or email parameters, resulting in minor integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.10 allows remote unauthenticated attackers to inject arbitrary JavaScript via the ref_cod_matricula parameter in /educar_aluno_lst.php, affecting users who click malicious links. The vulnerability has publicly available exploit code and a low CVSS score (2.1) due to requirement for user interaction, but represents a typical web application flaw in educational management systems with potential for credential theft or session hijacking.
Stored cross-site scripting in Portabilis i-Educar 2.9.0 allows authenticated remote attackers to inject malicious scripts via the nm_tipo parameter in the Turma Module administrative interface. The vulnerability requires user interaction and affects the integrity of application data. Publicly available exploit code exists, and the vendor has not responded to disclosure.
Stored cross-site scripting in Portabilis i-Educar up to version 2.10 allows authenticated remote attackers to inject malicious scripts via the Motivo/descricao parameter in the Calendar Module (/intranet/educar_calendario_dia_motivo_cad.php), requiring user interaction to execute. Public exploit code is available and the vendor has not responded to disclosure attempts despite early notification.
Stored cross-site scripting (XSS) vulnerability in Portabilis i-Educar 2.9.0 and 2.10.0 allows authenticated users to inject malicious scripts via the novo_titulo and novo_descricao parameters in the Agenda Module (/intranet/agenda.php), which are then executed in the browsers of other users viewing the affected content. The vulnerability requires user interaction (victim must view the crafted agenda entry) and authenticated access, resulting in a low-severity impact with an EPSS exploitation probability of 0.06% percentile 19. Public exploit code is available, though vendor did not respond to early disclosure notification.
Stored cross-site scripting (XSS) in Portabilis i-Educar 2.9.0 allows authenticated users to inject malicious scripts via the 'Deficiência ou Transtorno' parameter in the Disabilities Module (/intranet/educar_deficiencia_lst.php), affecting other users who view the injected content. The vulnerability requires user interaction (victim must view the page) and authenticated access, limiting its severity to reflected/stored XSS with user-level privileges. Public exploit code exists, but active exploitation has not been confirmed in CISA KEV, and the vendor has not responded to disclosure.
i-Educar is free, fully online school management software. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.