Plateforme
php
Composant
vulnerability-research
Corrigé dans
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
CVE-2026-2064 describes a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /intranet/meusdadod.php file, specifically related to the handling of the 'File' argument. A public exploit is available, increasing the likelihood of exploitation.
Successful exploitation of CVE-2026-2064 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially steal sensitive information displayed within the i-Educar interface, such as student records or administrative data. Given the publicly available exploit, the risk of exploitation is elevated, particularly for systems that have not been patched. The attack can be launched remotely, expanding the potential attack surface.
CVE-2026-2064 has a LOW CVSS score. A public proof-of-concept (PoC) is available, indicating a moderate risk of exploitation. The vulnerability was disclosed on 2026-02-06. The vendor was contacted but did not respond, which could delay further mitigation efforts.
Educational institutions and organizations utilizing Portabilis i-Educar for student data management are at risk. Specifically, deployments running versions 2.0 through 2.10 are vulnerable. Shared hosting environments where i-Educar is installed may be particularly susceptible due to limited control over server configurations.
• php / web: Examine access logs for requests to /intranet/meusdadod.php with unusual or suspicious parameters in the 'File' argument. Look for patterns indicative of XSS payloads (e.g., <script> tags, event handlers).
• generic web: Use curl or wget to test the /intranet/meusdadod.php endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>). Observe the response for script execution.
• generic web: Check response headers for Content-Security-Policy (CSP) directives. A strong CSP can mitigate XSS even if the vulnerability exists.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-2064 is to upgrade Portabilis i-Educar to version 2.10 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'File' argument within the /intranet/meusdadod.php file to prevent malicious script injection. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific endpoint. Regularly review and update WAF rules to ensure effectiveness. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'File' parameter and verifying that the script is not executed.
Mettez à jour i-Educar à la version 2.10 ou supérieure. Cette version contient la correction pour la vulnérabilité de Cross-Site Scripting (XSS) sur la page de données utilisateur. La mise à jour atténuera le risque d'exécution de scripts malveillants dans le navigateur des utilisateurs.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2064 is a cross-site scripting (XSS) vulnerability in Portabilis i-Educar versions 2.0-2.10, allowing attackers to inject malicious scripts via the /intranet/meusdadod.php endpoint.
You are affected if you are running Portabilis i-Educar versions 2.0 through 2.10 and have not upgraded to version 2.10 or applied appropriate mitigations.
Upgrade to Portabilis i-Educar version 2.10 or later. Implement input validation and sanitization on the 'File' argument as a temporary workaround.
A public exploit exists, indicating a potential for active exploitation, especially for unpatched systems.
Refer to the Portabilis security advisories page for the latest information: [https://portabilis.org/security/](https://portabilis.org/security/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.