CVE-2024-45057

Public Exploit
Reflected Cross-Site Scripting in i-Educar

Description

i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the dynamic generation of HTML fields prior to the 2.9 branch. The file located at `ieducar/intranet/include/clsCampos.inc.php` does not properly validate or sanitize user-controlled input, leading to the vulnerability. Any page that uses this implementation is vulnerable, such as `intranet/educar_curso_lst.php?nm_curso=<payload>`, `intranet/atendidos_lst.php?nm_pessoa=<payload>`, `intranet/educar_abandono_tipo_lst?nome=<payload>`. Commit f2d768534aabc09b2a1fc8a5cc5f9c93925cb273 contains a patch for the issue.

Category

6.1
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 3.0 •
EPSS 0.15%
Vendor Advisory github.com
Affected: portabilis i-educar
Published at:
Updated at:

References

Link Tags
https://github.com/portabilis/i-educar/security/advisories/GHSA-fqwh-c3c8-7gwj vendor advisory exploit
https://github.com/portabilis/i-educar/commit/f2d768534aabc09b2a1fc8a5cc5f9c93925cb273 patch

Frequently Asked Questions

What is the severity of CVE-2024-45057?
CVE-2024-45057 has been scored as a medium severity vulnerability.
How to fix CVE-2024-45057?
To fix CVE-2024-45057, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-45057 being actively exploited in the wild?
It is possible that CVE-2024-45057 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-45057?
CVE-2024-45057 affects portabilis i-educar.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.