CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-7113 – Portabilis i-Educar Curricular Components Module edit cross site scripting
https://notcve.org/view.php?id=CVE-2025-7113
07 Jul 2025 — A vulnerability was found in Portabilis i-Educar 2.9.0. It has been classified as problematic. Affected is an unknown function of the file /module/ComponenteCurricular/edit?id=ID of the component Curricular Components Module. The manipulation of the argument Nome leads to cross site scripting. • https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README15.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-7112 – Portabilis i-Educar Function Management Module educar_funcao_det.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-7112
07 Jul 2025 — A vulnerability was found in Portabilis i-Educar 2.9.0 and classified as problematic. This issue affects some unknown processing of the file /intranet/educar_funcao_det.php?cod_funcao=COD&ref_cod_instituicao=COD of the component Function Management Module. The manipulation of the argument Função leads to cross site scripting. The attack may be initiated remotely. • https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README14.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-7111 – Portabilis i-Educar Course Module educar_curso_det.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-7111
07 Jul 2025 — A vulnerability has been found in Portabilis i-Educar 2.9.0 and classified as problematic. This vulnerability affects unknown code of the file /intranet/educar_curso_det.php?cod_curso=ID of the component Course Module. The manipulation of the argument Curso leads to cross site scripting. The attack can be initiated remotely. • https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README13.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-7110 – Portabilis i-Educar School Module educar_escola_lst.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-7110
07 Jul 2025 — A vulnerability, which was classified as problematic, was found in Portabilis i-Educar 2.9.0. This affects an unknown part of the file /intranet/educar_escola_lst.php of the component School Module. The manipulation of the argument Escola leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README12.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-7109 – Portabilis i-Educar Student Benefits Registration educar_aluno_beneficio_lst.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-7109
07 Jul 2025 — A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.9.0. Affected by this issue is some unknown functionality of the file /intranet/educar_aluno_beneficio_lst.php of the component Student Benefits Registration. The manipulation of the argument Benefício leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README11.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55651 – i-Educar Stored Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-55651
07 May 2025 — i-Educar is free, fully online school management software. Version 2.9 of the application fails to properly validate and sanitize user supplied input, leading to a stored cross-site scripting vulnerability that resides within the user type (Tipo de Usuário) input field. Through this attacker vector a malicious user might be able to retrieve information belonging to another user, which may lead to sensitive information leakage or other malicious actions. As of time of publication, no patched versions are kno... • https://github.com/portabilis/i-educar/security/advisories/GHSA-8fjj-9937-g84w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.1EPSS: 0%CPEs: 10EXPL: 1CVE-2024-12893 – Portabilis i-Educar Tipo de Usuário Page 2 cross site scripting
https://notcve.org/view.php?id=CVE-2024-12893
22 Dec 2024 — A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar up to 2.9. Affected by this issue is some unknown functionality of the file /usuarios/tipos/2 of the component Tipo de Usuário Page. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/RegularUs3r/CVE-Research/blob/main/CVE-2024/Portabilis%20-%20iEducar/Stored%20Cross-Site%20Scripting.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55239
https://notcve.org/view.php?id=CVE-2024-55239
18 Dec 2024 — A reflected Cross-Site Scripting vulnerability in the standard documentation upload functionality in Portabilis i-Educar 2.9 allows attacker to craft malicious urls with arbitrary javascript in the 'titulo_documento' parameter. Una vulnerabilidad de Cross-Site Scripting reflejado en la funcionalidad de carga de documentación estándar en Portabilis i-Educar 2.9 permite a un atacante manipular URL maliciosas con javascript arbitrario en el parámetro 'titulo_documento'. • https://github.com/RegularUs3r/CVE-Research/blob/main/CVE-2024/Portabilis%20-%20iEducar/CVE-2024-55649%20-%20Reflected%20Cross-Site%20Scripting.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 1CVE-2024-48325
https://notcve.org/view.php?id=CVE-2024-48325
06 Nov 2024 — Portabilis i-Educar 2.8.0 is vulnerable to SQL Injection in the "getDocuments" function of the "InstituicaoDocumentacaoController" class. The "instituicao_id" parameter in "/module/Api/InstituicaoDocumentacao?oper=get&resource=getDocuments&instituicao_id" is not properly sanitized, allowing an unauthenticated remote attacker to inject malicious SQL commands. • https://github.com/osvaldotenorio/cve-2024-48325 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45059 – Authenticated SQL Injection in i-Educar
https://notcve.org/view.php?id=CVE-2024-45059
28 Aug 2024 — i-Educar is free, completely online school management software that allows school secretaries, teachers, coordinators and area managers. In affected versions Creating a SQL query from a concatenation of a user-controlled GET parameter allows an attacker to manipulate the query. Successful exploitation of this flaw allows an attacker to have complete and unrestricted access to the database, with a web user with minimal permissions. This may involve obtaining user information, such as emails, password hashes,... • https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •