Plataforma
php
Componente
vulnerability-research
Corrigido em
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
CVE-2026-2064 describes a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /intranet/meusdadod.php file, specifically related to the handling of the 'File' argument. A public exploit is available, increasing the likelihood of exploitation.
Successful exploitation of CVE-2026-2064 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially steal sensitive information displayed within the i-Educar interface, such as student records or administrative data. Given the publicly available exploit, the risk of exploitation is elevated, particularly for systems that have not been patched. The attack can be launched remotely, expanding the potential attack surface.
CVE-2026-2064 has a LOW CVSS score. A public proof-of-concept (PoC) is available, indicating a moderate risk of exploitation. The vulnerability was disclosed on 2026-02-06. The vendor was contacted but did not respond, which could delay further mitigation efforts.
Educational institutions and organizations utilizing Portabilis i-Educar for student data management are at risk. Specifically, deployments running versions 2.0 through 2.10 are vulnerable. Shared hosting environments where i-Educar is installed may be particularly susceptible due to limited control over server configurations.
• php / web: Examine access logs for requests to /intranet/meusdadod.php with unusual or suspicious parameters in the 'File' argument. Look for patterns indicative of XSS payloads (e.g., <script> tags, event handlers).
• generic web: Use curl or wget to test the /intranet/meusdadod.php endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>). Observe the response for script execution.
• generic web: Check response headers for Content-Security-Policy (CSP) directives. A strong CSP can mitigate XSS even if the vulnerability exists.
disclosure
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-2064 is to upgrade Portabilis i-Educar to version 2.10 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'File' argument within the /intranet/meusdadod.php file to prevent malicious script injection. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific endpoint. Regularly review and update WAF rules to ensure effectiveness. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'File' parameter and verifying that the script is not executed.
Actualice i-Educar a la versión 2.10 o superior. Esta versión contiene la corrección para la vulnerabilidad de Cross-Site Scripting (XSS) en la página de datos del usuario. La actualización mitigará el riesgo de ejecución de scripts maliciosos en el navegador de los usuarios.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-2064 is a cross-site scripting (XSS) vulnerability in Portabilis i-Educar versions 2.0-2.10, allowing attackers to inject malicious scripts via the /intranet/meusdadod.php endpoint.
You are affected if you are running Portabilis i-Educar versions 2.0 through 2.10 and have not upgraded to version 2.10 or applied appropriate mitigations.
Upgrade to Portabilis i-Educar version 2.10 or later. Implement input validation and sanitization on the 'File' argument as a temporary workaround.
A public exploit exists, indicating a potential for active exploitation, especially for unpatched systems.
Refer to the Portabilis security advisories page for the latest information: [https://portabilis.org/security/](https://portabilis.org/security/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.