プラットフォーム
php
コンポーネント
cve-research
修正版
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
CVE-2024-12893 describes a problematic cross-site scripting (XSS) vulnerability discovered in Portabilis i-Educar versions 2.0 through 2.9. This vulnerability allows attackers to inject malicious scripts via manipulation of the 'name' argument within the /usuarios/tipos/2 component. The vulnerability is remotely exploitable and has been publicly disclosed, raising concerns about potential exploitation. A fix is available in version 2.9.1.
Successful exploitation of CVE-2024-12893 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the i-Educar platform. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the i-Educar interface. The attacker could potentially gain access to sensitive user data or compromise the integrity of the application. Given the public disclosure, the risk of exploitation is elevated, particularly if users have not yet applied the available patch.
This vulnerability was publicly disclosed on December 22, 2024. The lack of response from the vendor is concerning and increases the likelihood of exploitation. While the CVSS score is LOW (2.4), the public disclosure and ease of exploitation make it a potential risk. No known active campaigns or proof-of-concept exploits beyond the disclosure have been reported as of this writing.
Educational institutions and organizations utilizing i-Educar for student management are particularly at risk. Those running older, unpatched versions (2.0-2.9) are directly vulnerable. Shared hosting environments where multiple i-Educar instances reside on the same server could experience cascading impacts if one instance is compromised.
• php: Examine i-Educar application logs for suspicious requests targeting the /usuarios/tipos/2 endpoint with unusual parameters in the name field. Use grep to search for patterns like <script> or javascript: in these requests.
grep -i '<script' /var/log/apache2/access.log | grep '/usuarios/tipos/2'• generic web: Use curl to test the /usuarios/tipos/2 endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>). Check the response for the alert box.
curl -X GET 'http://your-i-educar-server/usuarios/tipos/2?name=<script>alert("XSS")</script>' -s• generic web: Review access logs for unusual user agent strings or IP addresses accessing the /usuarios/tipos/2 endpoint.
disclosure
エクスプロイト状況
EPSS
0.11% (30% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-12893 is to upgrade i-Educar to version 2.9.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the /usuarios/tipos/2 endpoint to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple script through the /usuarios/tipos/2 endpoint and confirming that it is properly sanitized.
i-Educar を XSS 脆弱性を修正した 2.9 以降のバージョンにアップデートしてください。利用可能なバージョンがない場合は、Tipo de Usuário ページにおける引数 'name' の入力値を検証およびフィルタリングして、悪意のあるコードのインジェクションを回避してください。入力値の検証とサニタイズをコードに実装することを検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-12893 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.9, allowing attackers to inject malicious scripts.
If you are using i-Educar versions 2.0, 2.1, 2.2, 2.3, or 2.4, 2.5, 2.6, 2.7, 2.8, or 2.9, you are potentially affected by this vulnerability.
Upgrade i-Educar to version 2.9.1 or later to remediate the vulnerability. Consider input validation as a temporary workaround.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Portabilis security advisories page for updates and official information regarding CVE-2024-12893: [https://portabilis.org/security/](https://portabilis.org/security/)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。