CVE-2025-10845
📋 TL;DR
This SQL injection vulnerability in Portabilis i-Educar allows attackers to execute arbitrary SQL commands by manipulating the ID parameter in the /module/ComponenteCurricular/view endpoint. This could lead to unauthorized data access, modification, or deletion. All users running i-Educar versions up to 2.10 are affected.
💻 Affected Systems
- Portabilis i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data destruction, or full system takeover via SQL injection leading to remote code execution.
Likely Case
Unauthorized access to sensitive educational data, student records, or administrative credentials stored in the database.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage to non-critical data.
🎯 Exploit Status
Proof of concept is publicly available, making exploitation straightforward for attackers with basic SQL injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.11 or later
Vendor Advisory: https://github.com/portabilis/i-educar/releases
Restart Required: No
Instructions:
1. Backup your database and application files. 2. Download the latest version from the official repository. 3. Follow the upgrade instructions in the documentation. 4. Test the application functionality after upgrade.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the ID parameter before processing
Implement parameterized queries or prepared statements in the affected endpoint
Web Application Firewall Rule
allBlock SQL injection patterns targeting the vulnerable endpoint
WAF rule: Block requests to /module/ComponenteCurricular/view containing SQL keywords in parameters
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the i-Educar application
- Deploy a web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Test the /module/ComponenteCurricular/view endpoint with SQL injection payloads in the ID parameterCheck Version:
Check the application version in the admin panel or configuration filesVerify Fix Applied:
Attempt SQL injection tests after patching to confirm they no longer work📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed login attempts following SQL injection patterns
- Unusual database query patterns from application user
Network Indicators:
- HTTP requests to /module/ComponenteCurricular/view with SQL keywords in parameters
- Unusual outbound database connections from application server
SIEM Query:
source="web_server" AND uri="/module/ComponenteCurricular/view" AND (param="ID" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|create|alter)")