CVE-2024-45059

Name of the Vulnerable Software and Affected Versions i-Educar versions prior to 2.9

Description A SQL Injection vulnerability was found in the ieducar/intranet/funcionario vinculo det.php file, which creates the query by concatenating the unsanitized GET parameter cod func, allowing the attacker to obtain sensitive information such as emails and password hashes.

Recommendations For versions prior to 2.9, update to version 2.9 or later, as commit 7824b95745fa2da6476b9901041d9c854bf52ffe fixes the issue. As a temporary workaround, consider restricting access to the funcionario vinculo det.php file or sanitizing the cod func parameter to minimize the risk of exploitation.