Home > Vulnerability Database > CVE-2024-45058

Mend.io Vulnerability Database

CVE-2024-45058

Good to know:

Date: August 28, 2024

i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions) through a specifically crafted POST request to `/intranet/educar_usuario_cad.php`, modifying the `nivel_usuario_` parameter. The vulnerability occurs in the file located at `ieducar/intranet/educar_usuario_cad.php`, which does not check the user's current permission level before allowing changes. Commit c25910cdf11ab50e50162a49dd44bef544422b6e contains a patch for the issue.

Language: PHP

Severity Score

8.1

Related Resources (4)

Url: https://github.com/portabilis/i-educar/security/advisories/GHSA-53vj-fq8x-2mvg

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-45058

Url: https://github.com/portabilis/i-educar/commit/c25910cdf11ab50e50162a49dd44bef544422b6e

Url: https://www.mend.io/vulnerability-database/CVE-2024-45058

Severity Score

8.1

Weakness Type (CWE)

Input Validation

CWE-20

Improper Privilege Management

CWE-269

Missing Authorization

CWE-862

Top Fix

Upgrade Version

Upgrade to version c25910cdf11ab50e50162a49dd44bef544422b6e

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-45058

Good to know:

Date: August 28, 2024

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?