平台
php
组件
vulnerability-research
修复版本
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
CVE-2026-2064 describes a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /intranet/meusdadod.php file, specifically related to the handling of the 'File' argument. A public exploit is available, increasing the likelihood of exploitation.
Successful exploitation of CVE-2026-2064 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially steal sensitive information displayed within the i-Educar interface, such as student records or administrative data. Given the publicly available exploit, the risk of exploitation is elevated, particularly for systems that have not been patched. The attack can be launched remotely, expanding the potential attack surface.
CVE-2026-2064 has a LOW CVSS score. A public proof-of-concept (PoC) is available, indicating a moderate risk of exploitation. The vulnerability was disclosed on 2026-02-06. The vendor was contacted but did not respond, which could delay further mitigation efforts.
Educational institutions and organizations utilizing Portabilis i-Educar for student data management are at risk. Specifically, deployments running versions 2.0 through 2.10 are vulnerable. Shared hosting environments where i-Educar is installed may be particularly susceptible due to limited control over server configurations.
• php / web: Examine access logs for requests to /intranet/meusdadod.php with unusual or suspicious parameters in the 'File' argument. Look for patterns indicative of XSS payloads (e.g., <script> tags, event handlers).
• generic web: Use curl or wget to test the /intranet/meusdadod.php endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>). Observe the response for script execution.
• generic web: Check response headers for Content-Security-Policy (CSP) directives. A strong CSP can mitigate XSS even if the vulnerability exists.
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-2064 is to upgrade Portabilis i-Educar to version 2.10 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'File' argument within the /intranet/meusdadod.php file to prevent malicious script injection. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific endpoint. Regularly review and update WAF rules to ensure effectiveness. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'File' parameter and verifying that the script is not executed.
将 i-Educar 更新到 2.10 或更高版本。此版本包含用户数据页面中的跨站脚本 (XSS) 漏洞的修复。更新将缓解恶意脚本在用户浏览器中执行的风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-2064 is a cross-site scripting (XSS) vulnerability in Portabilis i-Educar versions 2.0-2.10, allowing attackers to inject malicious scripts via the /intranet/meusdadod.php endpoint.
You are affected if you are running Portabilis i-Educar versions 2.0 through 2.10 and have not upgraded to version 2.10 or applied appropriate mitigations.
Upgrade to Portabilis i-Educar version 2.10 or later. Implement input validation and sanitization on the 'File' argument as a temporary workaround.
A public exploit exists, indicating a potential for active exploitation, especially for unpatched systems.
Refer to the Portabilis security advisories page for the latest information: [https://portabilis.org/security/](https://portabilis.org/security/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。