Submit #649875: Portabilis i-educar 2.10 Broken Object Level Authorizationinfo

TitelPortabilis i-educar 2.10 Broken Object Level Authorization
Beschreibung# Broken Object Level Authorization (BOLA) Broken Object Level Authorization (BOLA) allows enumeration of classes data via /module/Avaliacao/diarioApi ### Summary A **Broken Object Level Authorization (BOLA)** vulnerability was identified in the `diario` API of the **i-Educar** application. This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters. Although this vulnerability does not directly expose individual student data, it still constitutes an **unauthorized disclosure of academic structure information**, which can be leveraged for enumeration or as a stepping stone for further attacks. --- ### Details **Vulnerable Endpoint:** `GET /module/Avaliacao/diarioApi` The application fails to enforce **object-level authorization** when handling this endpoint. As a result, any authenticated user can manipulate the request values to access data that they shouldn't. **Expected behavior:** - Only authorized roles (e.g., administrators, coordinators, teachers linked to the class) should be able to access this data. - Unauthorized users should receive **403 Forbidden** or an empty response. **Observed behavior:** - Any authenticated user (even low-privilege accounts) can access this endpoint and retrieve sensitive information about academic classes. --- ### Proof of Concept (PoC) 1. Authenticate as a non-privileged user. <img width="1439" height="663" alt="Pasted image 20250905173645" src="https://github.com/user-attachments/assets/c79bb6d5-1082-4f82-8095-85bf7a251c8e" /> <img width="846" height="616" alt="Pasted image 20250821225232" src="https://github.com/user-attachments/assets/b7f69cc4-c874-42e5-8c6f-aeb96557072c" /> 2. Send the following request: ``` GET /module/Avaliacao/diarioApi?&resource=matriculas&oper=get&instituicao_id=1&escola_id=3&curso_id=4&serie_id=undefined&turma_id=3&ano_escolar=2025&componente_curricular_id=11&etapa=1&matricula_id=12&busca=S&mostrar_botao_replicar_todos=1&ano=2025&ref_cod_instituicao=1&ref_cod_escola=3&ref_cod_curso=4&ref_cod_serie=6&ref_cod_turma=3&etapa=1&ref_cod_componente_curricular=11&ref_cod_matricula=12&navegacao_tab=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd X-Requested-With: XMLHttpRequest Connection: keep-alive Referer: http://localhost/module/Avaliacao/diario?&resource=matriculas&oper=get&instituicao_id=1&escola_id=3&curso_id=4&serie_id=undefined&turma_id=3&ano_escolar=2025&componente_curricular_id=11&etapa=1&matricula_id=12 Cookie: educar_session=[low-privileged-session] Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 ``` <img width="1437" height="673" alt="Pasted image 20250905173506" src="https://github.com/user-attachments/assets/dd796acd-760f-4728-af38-d4057b39f7cc" /> 3. We could observe that informations about classes were returned. --- ### Impact - **Information Disclosure:** Even though student data is not included, sensitive details about the institution’s internal structure (classes, courses, schedules) are exposed. - **Reconnaissance Vector:** An attacker could use this endpoint to map out the entire academic structure, identifying valid IDs. - **Chaining attacks:** Combined with other vulnerabilities (e.g., BOLA on enrollment endpoints), this facilitates enumeration and targeted exploitation of student records. - **Compliance Risk:** Exposure of institutional metadata to unauthorized users can still represent a data governance issue.
Quelle⚠️ https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Object%20Level%20Authorization%20(BOLA)%20allows%20enumeration%20of%20classes%20informations%20via%20.module.Avaliacao.diarioApi.md
Benutzer
 marceloQz (UID 87549)
Einreichung07.09.2025 16:41 (vor 9 Monaten)
Moderieren17.09.2025 09:04 (10 days later)
StatusAkzeptiert
VulDB Eintrag324627 [Portabilis i-Educar bis 2.10 diarioApi Information Disclosure]
Punkte20

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!