Platform
php
Component
cve-research
Fixed in
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
CVE-2024-12893 describes a problematic cross-site scripting (XSS) vulnerability discovered in Portabilis i-Educar versions 2.0 through 2.9. This vulnerability allows attackers to inject malicious scripts via manipulation of the 'name' argument within the /usuarios/tipos/2 component. The vulnerability is remotely exploitable and has been publicly disclosed, raising concerns about potential exploitation. A fix is available in version 2.9.1.
Successful exploitation of CVE-2024-12893 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the i-Educar platform. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the i-Educar interface. The attacker could potentially gain access to sensitive user data or compromise the integrity of the application. Given the public disclosure, the risk of exploitation is elevated, particularly if users have not yet applied the available patch.
This vulnerability was publicly disclosed on December 22, 2024. The lack of response from the vendor is concerning and increases the likelihood of exploitation. While the CVSS score is LOW (2.4), the public disclosure and ease of exploitation make it a potential risk. No known active campaigns or proof-of-concept exploits beyond the disclosure have been reported as of this writing.
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12893 is to upgrade i-Educar to version 2.9.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the /usuarios/tipos/2 endpoint to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple script through the /usuarios/tipos/2 endpoint and confirming that it is properly sanitized.
Actualice i-Educar a una versión posterior a la 2.9 que corrija la vulnerabilidad XSS. Si no hay una versión disponible, revise y filtre las entradas del argumento 'name' en la página Tipo de Usuário para evitar la inyección de código malicioso. Considere implementar validación y saneamiento de entradas en el código.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12893 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.9, allowing attackers to inject malicious scripts.
If you are using i-Educar versions 2.0, 2.1, 2.2, 2.3, or 2.4, 2.5, 2.6, 2.7, 2.8, or 2.9, you are potentially affected by this vulnerability.
Upgrade i-Educar to version 2.9.1 or later to remediate the vulnerability. Consider input validation as a temporary workaround.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Portabilis security advisories page for updates and official information regarding CVE-2024-12893: [https://portabilis.org/security/](https://portabilis.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.