CVE-2025-11047
📋 TL;DR
This vulnerability in Portabilis i-Educar allows attackers to bypass authorization controls and enumerate student records by manipulating the aluno_id parameter in the /module/Api/aluno endpoint. It affects all i-Educar installations up to version 2.10. The vulnerability can be exploited remotely without authentication.
💻 Affected Systems
- Portabilis i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of all student records including sensitive personal information, leading to data breach, regulatory fines, and reputational damage.
Likely Case
Unauthorized access to student records, potential exposure of personally identifiable information (PII), and violation of data privacy regulations.
If Mitigated
Limited or no data exposure if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Public exploit details are available in GitHub repositories. The vulnerability requires simple parameter manipulation and no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.11 or later
Vendor Advisory: https://github.com/portabilis/i-educar/releases
Restart Required: No
Instructions:
1. Backup your current installation. 2. Update to i-Educar version 2.11 or later. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allTemporarily block access to the /module/Api/aluno endpoint using web server configuration or WAF rules.
# Apache: RewriteRule ^/module/Api/aluno - [F]
# Nginx: location ~ ^/module/Api/aluno { deny all; }
Implement API Rate Limiting
allAdd rate limiting to API endpoints to prevent mass enumeration attacks.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the i-Educar application.
- Deploy a web application firewall (WAF) with rules to detect and block unauthorized access to student records.
🔍 How to Verify
Check if Vulnerable:
Test if you can access student records by manipulating the aluno_id parameter in requests to /module/Api/aluno without proper authorization.Check Version:
Check the i-Educar version in the application interface or configuration files.Verify Fix Applied:
After patching, attempt the same exploitation technique and verify that proper authorization checks are now enforced.📡 Detection & Monitoring
Log Indicators:
- Unusual number of requests to /module/Api/aluno endpoint
- Requests with sequential aluno_id parameters
- Access attempts from unauthorized IP addresses
Network Indicators:
- Burst of HTTP GET requests to the vulnerable endpoint
- Pattern of requests with incrementing ID parameters
SIEM Query:
source="web_server" AND (uri="/module/Api/aluno" OR uri LIKE "/module/Api/aluno%") | stats count by src_ip, user_agent🔗 References
- https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken_Object_Level_Authorization_allows_enumeration_of_student_records_via_.module.Api.aluno.md
- https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11047.md
- https://vuldb.com/?ctiid.326084
- https://vuldb.com/?id.326084
- https://vuldb.com/?submit.659201
- https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11047.md
- https://vuldb.com/?submit.659201
