0Xbhsu

**Name of the Vulnerable Software and Affected Versions** i-Educar versions prior to 2.9 **Description** A Reflected Cross-Site Scripting (XSS) issue was identified in the dynamic generation of HTML fields. The file `ieducar/intranet/include/clsCampos.inc.php` does not properly validate or sanitize user-controlled input, leading to the issue. Any page that uses this implementation is affected, such as "intranet/educar curso lst.php?nm curso=<payload>", "intranet/atendidos lst.php?nm pessoa=<payload>", "intranet/educar abandono tipo lst?nome=<payload>". The lack of sanitization of user-controlled parameters allows an attacker to inject a specific XSS payload, which can be executed in the victim's browser. **Recommendations** For versions prior to 2.9, apply the patch contained in commit f2d768534aabc09b2a1fc8a5cc5f9c93925cb273 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `clsCampos.inc.php` file until the patch is applied. Avoid using the vulnerable parameters `nm curso`, `nm pessoa`, and `nome` in the affected API endpoints until the issue is resolved. Users are recommended to contact the developer and coordinate an update schedule.

**Name of the Vulnerable Software and Affected Versions** i-Educar versions prior to 2.9 **Description** The issue allows an attacker with minimal viewing privileges in the settings section to change their user type to Administrator or another type with super-permissions. This can be achieved through a specifically crafted POST request to "/intranet/educar usuario cad.php", modifying the `nivel usuario ` parameter. The vulnerability occurs because the file located at ieducar/intranet/educar usuario cad.php does not check the user's current permission level before allowing changes. **Recommendations** For versions prior to 2.9, consider disabling access to the "/intranet/educar usuario cad.php" endpoint until a patch is available. Additionally, restrict modifications to the `nivel usuario ` parameter to prevent unauthorized changes. It is recommended that users contact the developer and coordinate a schedule for updates. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** i-Educar versions prior to 2.9 **Description** A SQL Injection vulnerability was found in the `ieducar/intranet/funcionario vinculo det.php` file, which creates the query by concatenating the unsanitized GET parameter `cod func`, allowing the attacker to obtain sensitive information such as emails and password hashes. **Recommendations** For versions prior to 2.9, update to version 2.9 or later, as commit 7824b95745fa2da6476b9901041d9c854bf52ffe fixes the issue. As a temporary workaround, consider restricting access to the `funcionario vinculo det.php` file or sanitizing the `cod func` parameter to minimize the risk of exploitation.