CVE-2024-45058 Information

Description

i-Educar is free completely online school management software that allows school secretaries teachers coordinators and area managers. An attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions). Any user is capable of becoming an administrator which can lead to account theft changing administrative tasks etc. The failure occurs in the file located in ieducar/intranet/educar_usuario_cad.php on line 446 which does not perform checks on the user’s current permission level to make changes. This issue has not yet been patched. Users are advised to contact the developer and to coordinate an update schedule.

Reference

https://github.com/portabilis/i-educar/security/advisories/GHSA-53vj-fq8x-2mvg