i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A SQL Injection vulnerability was found prior to the 2.9 branch in the `ieducar/intranet/funcionario_vinculo_det.php` file, which creates the query by concatenating the unsanitized GET parameter `cod_func`, allowing the attacker to obtain sensitive information such as emails and password hashes. Commit 7824b95745fa2da6476b9901041d9c854bf52ffe fixes the issue.
References
Link | Resource |
---|---|
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html | Technical Description |
https://github.com/portabilis/i-educar/commit/7824b95745fa2da6476b9901041d9c854bf52ffe | Patch |
https://github.com/portabilis/i-educar/security/advisories/GHSA-2v4w-7xqr-hxmr | Exploit Third Party Advisory |
https://portswigger.net/web-security/sql-injection | Technical Description |
Configurations
History
13 Sep 2024, 20:09
Type | Values Removed | Values Added |
---|---|---|
References | () https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html - Technical Description | |
References | () https://github.com/portabilis/i-educar/commit/7824b95745fa2da6476b9901041d9c854bf52ffe - Patch | |
References | () https://github.com/portabilis/i-educar/security/advisories/GHSA-2v4w-7xqr-hxmr - Exploit, Third Party Advisory | |
References | () https://portswigger.net/web-security/sql-injection - Technical Description | |
First Time |
Portabilis i-educar
Portabilis |
|
CPE | cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:* |
06 Sep 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | (en) i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A SQL Injection vulnerability was found prior to the 2.9 branch in the `ieducar/intranet/funcionario_vinculo_det.php` file, which creates the query by concatenating the unsanitized GET parameter `cod_func`, allowing the attacker to obtain sensitive information such as emails and password hashes. Commit 7824b95745fa2da6476b9901041d9c854bf52ffe fixes the issue. |
29 Aug 2024, 13:25
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
28 Aug 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-28 21:15
Updated : 2024-09-13 20:09
NVD link : CVE-2024-45059
Mitre link : CVE-2024-45059
CVE.ORG link : CVE-2024-45059
JSON object : View
Products Affected
portabilis
- i-educar
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')