CVSS: 4.8EPSS: 0%CPEs: 11EXPL: 1CVE-2025-8918 – Portabilis i-Educar Editar educar_instituicao_cad.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-8918
13 Aug 2025 — A vulnerability was found in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /intranet/educar_instituicao_cad.php of the component Editar Page. The manipulation of the argument neighborhood name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.319877 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 1CVE-2025-8790 – Portabilis i-Educar API Endpoint pessoa improper authorization
https://notcve.org/view.php?id=CVE-2025-8790
10 Aug 2025 — A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been declared as critical. This vulnerability affects unknown code of the file /module/Api/pessoa of the component API Endpoint. The manipulation of the argument ID leads to improper authorization. The attack can be initiated remotely. • https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8790.md • CWE-266: Incorrect Privilege Assignment CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 1CVE-2025-8789 – Portabilis i-Educar API Endpoint Diario authorization
https://notcve.org/view.php?id=CVE-2025-8789
10 Aug 2025 — A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been classified as problematic. This affects an unknown part of the file /module/Api/Diario of the component API Endpoint. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. • https://github.com/CVE-Hunters/CVE/blob/main/i-educar/CVE-2025-8789.md • CWE-285: Improper Authorization CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.1EPSS: 0%CPEs: 10EXPL: 1CVE-2025-8785 – Portabilis i-Educar educar_usuario_lst.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-8785
09 Aug 2025 — A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar up to 2.9. This issue affects some unknown processing of the file /intranet/educar_usuario_lst.php. The manipulation of the argument nm_pessoa/matricula/matricula_interna leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-8785.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 10EXPL: 1CVE-2025-8784 – Portabilis i-Educar Cadastrar Vínculo funcionario_vinculo_cad.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-8784
09 Aug 2025 — A vulnerability classified as problematic was found in Portabilis i-Educar up to 2.9. This vulnerability affects unknown code of the file /intranet/funcionario_vinculo_cad.php of the component Cadastrar Vínculo Page. The manipulation of the argument nome leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-8784.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 10EXPL: 1CVE-2024-12893 – Portabilis i-Educar Tipo de Usuário Page 2 cross site scripting
https://notcve.org/view.php?id=CVE-2024-12893
22 Dec 2024 — A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar up to 2.9. Affected by this issue is some unknown functionality of the file /usuarios/tipos/2 of the component Tipo de Usuário Page. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/RegularUs3r/CVE-Research/blob/main/CVE-2024/Portabilis%20-%20iEducar/Stored%20Cross-Site%20Scripting.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45059 – Authenticated SQL Injection in i-Educar
https://notcve.org/view.php?id=CVE-2024-45059
28 Aug 2024 — i-Educar is free, completely online school management software that allows school secretaries, teachers, coordinators and area managers. In affected versions Creating a SQL query from a concatenation of a user-controlled GET parameter allows an attacker to manipulate the query. Successful exploitation of this flaw allows an attacker to have complete and unrestricted access to the database, with a web user with minimal permissions. This may involve obtaining user information, such as emails, password hashes,... • https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 8%CPEs: 1EXPL: 1CVE-2024-45058 – Privilege escalation in i-Educar
https://notcve.org/view.php?id=CVE-2024-45058
28 Aug 2024 — i-Educar is free, completely online school management software that allows school secretaries, teachers, coordinators and area managers. An attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions). Any user is capable of becoming an administrator, which can lead to account theft, changing administrative tasks, etc. The failure occurs in the file located in ieducar/intranet/educar_usuario_cad.php on line ... • https://github.com/0xbhsu/CVE-2024-45058 • CWE-20: Improper Input Validation CWE-269: Improper Privilege Management •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45057 – Reflected Cross-Site Scripting in i-Educar
https://notcve.org/view.php?id=CVE-2024-45057
28 Aug 2024 — i-Educar is free, completely online school management software that allows school secretaries, teachers, coordinators and area managers. The lack of sanitization of user-controlled parameters for generating HTML field values dynamically leads to XSS (Cross-Site Scripting) attacks. The dynamic generation of HTML fields in the ieducar/intranet/include/clsCampos.inc.php file does not perform the correct validation or sanitization, reflecting the user-controlled values to be shown in the page's HTML. This a... • https://github.com/portabilis/i-educar/commit/f2d768534aabc09b2a1fc8a5cc5f9c93925cb273 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5578 – Portábilis i-Educar HTTP GET Request agenda_imprimir.php cross site scripting
https://notcve.org/view.php?id=CVE-2023-5578
14 Oct 2023 — A vulnerability was found in Portábilis i-Educar up to 2.7.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file \intranet\agenda_imprimir.php of the component HTTP GET Request Handler. The manipulation of the argument cod_agenda with the input ");'> <script>alert(document.cookie)</script> leads to cross site scripting. The attack can be launched remotely. • https://vuldb.com/?ctiid.242143 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •