प्लेटफ़ॉर्म
php
घटक
cve-research
में ठीक किया गया
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
CVE-2024-12893 describes a problematic cross-site scripting (XSS) vulnerability discovered in Portabilis i-Educar versions 2.0 through 2.9. This vulnerability allows attackers to inject malicious scripts via manipulation of the 'name' argument within the /usuarios/tipos/2 component. The vulnerability is remotely exploitable and has been publicly disclosed, raising concerns about potential exploitation. A fix is available in version 2.9.1.
Successful exploitation of CVE-2024-12893 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the i-Educar platform. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the i-Educar interface. The attacker could potentially gain access to sensitive user data or compromise the integrity of the application. Given the public disclosure, the risk of exploitation is elevated, particularly if users have not yet applied the available patch.
This vulnerability was publicly disclosed on December 22, 2024. The lack of response from the vendor is concerning and increases the likelihood of exploitation. While the CVSS score is LOW (2.4), the public disclosure and ease of exploitation make it a potential risk. No known active campaigns or proof-of-concept exploits beyond the disclosure have been reported as of this writing.
Educational institutions and organizations utilizing i-Educar for student management are particularly at risk. Those running older, unpatched versions (2.0-2.9) are directly vulnerable. Shared hosting environments where multiple i-Educar instances reside on the same server could experience cascading impacts if one instance is compromised.
• php: Examine i-Educar application logs for suspicious requests targeting the /usuarios/tipos/2 endpoint with unusual parameters in the name field. Use grep to search for patterns like <script> or javascript: in these requests.
grep -i '<script' /var/log/apache2/access.log | grep '/usuarios/tipos/2'• generic web: Use curl to test the /usuarios/tipos/2 endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>). Check the response for the alert box.
curl -X GET 'http://your-i-educar-server/usuarios/tipos/2?name=<script>alert("XSS")</script>' -s• generic web: Review access logs for unusual user agent strings or IP addresses accessing the /usuarios/tipos/2 endpoint.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.11% (30% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-12893 is to upgrade i-Educar to version 2.9.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the /usuarios/tipos/2 endpoint to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple script through the /usuarios/tipos/2 endpoint and confirming that it is properly sanitized.
Actualice i-Educar a una versión posterior a la 2.9 que corrija la vulnerabilidad XSS. Si no hay una versión disponible, revise y filtre las entradas del argumento 'name' en la página Tipo de Usuário para evitar la inyección de código malicioso. Considere implementar validación y saneamiento de entradas en el código.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-12893 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.9, allowing attackers to inject malicious scripts.
If you are using i-Educar versions 2.0, 2.1, 2.2, 2.3, or 2.4, 2.5, 2.6, 2.7, 2.8, or 2.9, you are potentially affected by this vulnerability.
Upgrade i-Educar to version 2.9.1 or later to remediate the vulnerability. Consider input validation as a temporary workaround.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Portabilis security advisories page for updates and official information regarding CVE-2024-12893: [https://portabilis.org/security/](https://portabilis.org/security/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।