GitHub, Inc. AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

GitHub, Inc. CWE-20

GitHub, Inc. CWE-269

i-Educar is free, completely online school management software that allows school secretaries, teachers, coordinators and area managers. An attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions). Any user is capable of becoming an administrator, which can lead to account theft, changing administrative tasks, etc. The failure occurs in the file located in ieducar/intranet/educar_usuario_cad.php on line 446 , which does not perform checks on the user's current permission level to make changes.  This issue has not yet been patched. Users are advised to contact the developer and to coordinate an update schedule.

GitHub, Inc. https://github.com/portabilis/i-educar/security/advisories/GHSA-53vj-fq8x-2mvg [No types assigned]