CVE-2024-45058
Published: 28 August 2024
Summary
CVE-2024-45058 is a high-severity Improper Input Validation (CWE-20) vulnerability in Portabilis I-Educar. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
i-Educar is free, fully online school management software. Prior to the 2.9 branch, the application contained an authorization flaw in ieducar/intranet/educar_usuario_cad.php that failed to validate a user's existing permission level before processing a POST request containing the nivel_usuario_ parameter. This allowed an authenticated user to alter their own account type without restriction.
An attacker holding only minimal viewing privileges in the settings section can submit a crafted POST request to /intranet/educar_usuario_cad.php and thereby elevate their account to Administrator or any other role possessing super-permissions, resulting in full control over user management functions and exposure of sensitive data.
The referenced GitHub security advisory GHSA-53vj-fq8x-2mvg and the patch in commit c25910cdf11ab50e50162a49dd44bef544422b6e address the issue by adding an explicit permission check before allowing changes to user levels. The current EPSS score of 0.2430 shows no material increase from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41289
Vulnerability details
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in the settings section is able to change…
more
their user type to Administrator (or another type with super-permissions) through a specifically crafted POST request to `/intranet/educar_usuario_cad.php`, modifying the `nivel_usuario_` parameter. The vulnerability occurs in the file located at `ieducar/intranet/educar_usuario_cad.php`, which does not check the user's current permission level before allowing changes. Commit c25910cdf11ab50e50162a49dd44bef544422b6e contains a patch for the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Always invoking the reference monitor prevents missing authorization checks for protected resources.
Requires verification that authorization checks are present and operational for protected resources.
Requiring explicit authorization for each internal connection prevents missing authorization.
Restricting who can perform changes helps ensure privileges are managed properly rather than assigned broadly.
Manages privileges by authorizing only approved personnel and supervising those lacking required authorizations for maintenance.