إرسال #625918: Portabilis i-Educar 2.10.0 Exposure of Private Personal Information to an Unauthorized Actoالمعلومات

عنوان	Portabilis i-Educar 2.10.0 Exposure of Private Personal Information to an Unauthorized Acto
الوصف	Broken Object Level Authorization (BOLA) in pessoa API Endpoint Allows Unauthorized Access to Other Users Data Summary A Broken Object Level Authorization (BOLA) vulnerability was identified in the i-educar 2.8 and 2.9 API, allowing any authenticated low-privileged user to access sensitive information from other users by manipulating the id parameter in the pessoa resource endpoint. Details The endpoint /module/Api/pessoa lacks proper authorization checks to ensure that the authenticated user is only able to access their own data. By altering the id parameter in the following request, any authenticated user can retrieve information about other users: GET /module/Api/pessoa?&oper=get&resource=pessoa&id=1 HTTP/1.1 PoC 1-Authenticate as a non-privileged user (e.g., student, professor). Print:https://github.com/CVE-Hunters/CVE/raw/main/images/bola001.png 2-Send the following request targeting id=1 user GET /module/Api/pessoa?&oper=get&resource=pessoa&id=1 HTTP/1.1 Cookie: i_educar_session=VALID_SESSION_COOKIE Print:https://github.com/CVE-Hunters/CVE/raw/main/images/bfla002.png 3.Observe that user data for id=1 is returned, even if the logged-in user is not authorized to access that profile. Print:https://github.com/CVE-Hunters/CVE/raw/main/images/bola003.png Impact This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to: Unauthorized access to sensitive PII Violation of data protection laws (e.g., LGPD, GDPR) Potential abuse of user data or impersonation User enumeration
المصدر	⚠️ https://github.com/CVE-Hunters/CVE/blob/main/i-educar/Broken%20Object%20Level%20Authorization%20(BOLA)%20in%20pessoa%20API%20Endpoint%20Allows%20Unauthorized%20Access%20to%20Other%20Users%20Data.md
المستخدم	nmmorette (UID 87361)
ارسال	31/07/2025 01:04 AM (9 أشهر منذ)
الاعتدال	09/08/2025 07:11 AM (9 days later)
الحالة	تمت الموافقة
إدخال VulDB	319318 [Portabilis i-Educar حتى 2.9.0 API Endpoint /module/Api/pessoa معرف تجاوز الصلاحيات]
النقاط	20

التالي ▸نظرة عامة ◂ السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!