CVE-2024-45058

Name of the Vulnerable Software and Affected Versions i-Educar versions prior to 2.9

Description The issue allows an attacker with minimal viewing privileges in the settings section to change their user type to Administrator or another type with super-permissions. This can be achieved through a specifically crafted POST request to "/intranet/educar usuario cad.php", modifying the nivel usuario parameter. The vulnerability occurs because the file located at ieducar/intranet/educar usuario cad.php does not check the user's current permission level before allowing changes.

Recommendations For versions prior to 2.9, consider disabling access to the "/intranet/educar usuario cad.php" endpoint until a patch is available. Additionally, restrict modifications to the nivel usuario parameter to prevent unauthorized changes. It is recommended that users contact the developer and coordinate a schedule for updates. At the moment, there is no information about a newer version that contains a fix for this vulnerability.