CVE-2024-55651

i-Educar is free, fully online school management software. Version 2.9 of the application fails to properly validate and sanitize user supplied input, leading to a stored cross-site scripting vulnerability that resides within the user type (Tipo de Usuário) input field. Through this attacker vector a malicious user might be able to retrieve information belonging to another user, which may lead to sensitive information leakage or other malicious actions. As of time of publication, no patched versions are known to exist.

CVSS

No CVSS.

References

Link	Resource
https://github.com/portabilis/i-educar/security/advisories/GHSA-8fjj-9937-g84w

Configurations

No configuration.

History

08 May 2025, 14:39

Type	Values Removed	Values Added
Summary		(es) i-Educar es un software de gestión escolar gratuito y totalmente en línea. La versión 2.9 de la aplicación no valida ni depura correctamente la información proporcionada por el usuario, lo que genera una vulnerabilidad de cross site scripting almacenado en el campo de entrada "Tipo de Usuário". A través de este vector de ataque, un usuario malicioso podría obtener información de otro usuario, lo que podría provocar la filtración de información confidencial u otras acciones maliciosas. Al momento de la publicación, no se conocían versiones parcheadas.

08 May 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-08 00:15

Updated : 2025-05-08 14:39

NVD link : CVE-2024-55651

Mitre link : CVE-2024-55651

CVE.ORG link : CVE-2024-55651

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-55651", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-08T00:15:15.853", "references": [{"url": "https://github.com/portabilis/i-educar/security/advisories/GHSA-8fjj-9937-g84w", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "i-Educar is free, fully online school management software. Version 2.9 of the application fails to properly validate and sanitize user supplied input, leading to a stored cross-site scripting vulnerability that resides within the user type (Tipo de Usu\u00e1rio) input field. Through this attacker vector a malicious user might be able to retrieve information belonging to another user, which may lead to sensitive information leakage or other malicious actions. As of time of publication, no patched versions are known to exist."}, {"lang": "es", "value": "i-Educar es un software de gesti\u00f3n escolar gratuito y totalmente en l\u00ednea. La versi\u00f3n 2.9 de la aplicaci\u00f3n no valida ni depura correctamente la informaci\u00f3n proporcionada por el usuario, lo que genera una vulnerabilidad de cross site scripting almacenado en el campo de entrada \"Tipo de Usu\u00e1rio\". A trav\u00e9s de este vector de ataque, un usuario malicioso podr\u00eda obtener informaci\u00f3n de otro usuario, lo que podr\u00eda provocar la filtraci\u00f3n de informaci\u00f3n confidencial u otras acciones maliciosas. Al momento de la publicaci\u00f3n, no se conoc\u00edan versiones parcheadas."}], "lastModified": "2025-05-08T14:39:09.683", "sourceIdentifier": "security-advisories@github.com"}