CVE-2024-55651: i-Educar Stored Cross-Site Scripting vulnerability

2.0 CVSS

Description

i-Educar is free, fully online school management software. Version 2.9 of the application fails to properly validate and sanitize user supplied input, leading to a stored cross-site scripting vulnerability that resides within the user type (Tipo de Usuário) input field. Through this attacker vector a malicious user might be able to retrieve information belonging to another user, which may lead to sensitive information leakage or other malicious actions. As of time of publication, no patched versions are known to exist.

Classification

CVE ID: CVE-2024-55651

CVSS Base Severity: LOW

CVSS Base Score: 2.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: portabilis

Product: i-educar

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.26% (scored less or equal to compared to others)

EPSS Date: 2025-06-05 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-55651
https://github.com/portabilis/i-educar/security/advisories/GHSA-8fjj-9937-g84w

Timeline

2025-05-08 00:40:15 UTC
CVE

i-Educar Stored Cross-Site Scripting vulnerability