CVE-2025-10607
📋 TL;DR
This vulnerability in Portabilis i-Educar allows unauthorized access to class information via the /module/Avaliacao/diarioApi endpoint. Attackers can remotely exploit this Broken Object Level Authorization (BOLA) flaw to enumerate sensitive educational data. All users of i-Educar up to version 2.10 are affected.
💻 Affected Systems
- Portabilis i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all class information including student data, grades, schedules, and teacher assignments, potentially leading to privacy violations and data misuse.
Likely Case
Unauthorized users accessing class rosters, schedules, and basic educational information, compromising student and teacher privacy.
If Mitigated
Limited exposure of non-sensitive class metadata if proper access controls and monitoring are implemented.
🎯 Exploit Status
Public exploit details are available on GitHub. The vulnerability requires no authentication and can be exploited with simple HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.11 or later
Vendor Advisory: Not provided in references
Restart Required: No
Instructions:
1. Upgrade i-Educar to version 2.11 or later. 2. Verify the patch by testing the /module/Avaliacao/diarioApi endpoint. 3. Review access logs for any previous exploitation attempts.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allTemporarily block access to the vulnerable API endpoint using web server configuration or WAF rules.
# Apache: RewriteRule ^/module/Avaliacao/diarioApi - [F]
# Nginx: location ~ ^/module/Avaliacao/diarioApi { deny all; }
Implement API Authentication
allAdd authentication requirements to all API endpoints, especially /module/Avaliacao/diarioApi.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate i-Educar instances from untrusted networks.
- Deploy a Web Application Firewall (WAF) with rules to detect and block BOLA exploitation patterns.
🔍 How to Verify
Check if Vulnerable:
Send an unauthenticated HTTP GET request to /module/Avaliacao/diarioApi. If it returns class information without authentication, the system is vulnerable.Check Version:
Check i-Educar version in admin panel or configuration files. Typically found in version.txt or similar files.Verify Fix Applied:
After patching, attempt the same unauthenticated request. It should return an authentication error or no data.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated requests to /module/Avaliacao/diarioApi
- Unusual access patterns to class information endpoints
- Requests with sequential ID parameters
Network Indicators:
- Unusual traffic to the diarioApi endpoint from external IPs
- Bursts of GET requests with numeric parameters
SIEM Query:
source="web_server" AND (uri="/module/Avaliacao/diarioApi" OR uri LIKE "/module/Avaliacao/diarioApi%") AND status=200 AND user_agent NOT IN ["expected_user_agents"]🔗 References
- https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Object%20Level%20Authorization%20(BOLA)%20allows%20enumeration%20of%20classes%20informations%20via%20.module.Avaliacao.diarioApi.md
- https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10607.md
- https://vuldb.com/?ctiid.324627
- https://vuldb.com/?id.324627
- https://vuldb.com/?submit.649875
