平台
php
修复版本
2.11.1
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Educar version 2.11. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /intranet/educarservidorcurso_lst.php file, affecting an unknown function. A public exploit is now available.
Successful exploitation of CVE-2026-4355 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the i-Educar interface. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it, significantly expanding the potential attack surface. The availability of a public exploit increases the likelihood of widespread exploitation.
CVE-2026-4355 has a LOW CVSS score of 3.5. A public proof-of-concept (PoC) is available, indicating a higher risk of exploitation. The vulnerability was disclosed on 2026-03-17. The vendor, Portabilis, was contacted but did not respond, which may delay the availability of a patch.
Educational institutions and organizations utilizing Portabilis i-Educar version 2.11 are at risk. This includes schools, universities, and training centers that rely on i-Educar for learning management and student information systems. The lack of vendor response increases the risk for these organizations.
• wordpress / composer / npm:
grep -r "educar_servidor_curso_lst.php" /var/www/html/• generic web:
curl -I http://<target>/intranet/educar_servidor_curso_lst.php?Name=<script>alert(1)</script>disclosure
漏洞利用状态
EPSS
0.03% (8% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4355 is to upgrade to a patched version of i-Educar. As no fixed version is provided, consider implementing input validation and sanitization on the 'Name' parameter in /intranet/educarservidorcurso_lst.php to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update security policies to address emerging threats.
升级到已修补的版本或应用供应商提供的安全措施以缓解 XSS 漏洞。由于供应商未响应,建议审查和清理文件 /intranet/educar_servidor_curso_lst.php 中 'Name' 参数的输入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4355 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar version 2.11, allowing attackers to inject malicious scripts via the 'Name' parameter in a specific file.
If you are using Portabilis i-Educar version 2.11, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
Upgrade to a patched version of i-Educar. Until a patch is released, implement input validation and sanitization on the 'Name' parameter and consider using a WAF.
A public proof-of-concept exists, suggesting a higher likelihood of active exploitation. Monitor your systems for suspicious activity.
Check the Portabilis website and security advisories for updates regarding CVE-2026-4355. As of the disclosure date, no advisory has been published.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。