提出 #638582: Portabilis i-educar 2.10 Broken Object Level Authorization情報

タイトルPortabilis i-educar 2.10 Broken Object Level Authorization
説明# Broken Object Level Authorization (BOLA) allows enumeration of students via /module/HistoricoEscolar/processamentoApi ### Summary A Broken Object Level Authorization (BOLA) vulnerability was identified in the `/module/HistoricoEscolar/processamentoApi` endpoint of the **i-Educar** application. This flaw allows low-privileged users (e.g., standard student/responsible accounts) to retrieve enrollment (`matriculas`) information of students outside their scope, exposing Personally Identifiable Information (PII) without proper authorization checks. --- ### Details **Vulnerable Endpoint:** `GET /module/HistoricoEscolar/processamentoApi` The application fails to enforce **object-level authorization** when handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students. --- ### Proof of Concept (PoC) 1. Authenticate as a non-privileged user. ![[Pasted image 20250818200456.png]] 2. Send the following request: ``` GET /module/HistoricoEscolar/processamentoApi?att=matriculas&oper=get&instituicao_id=1&escola_id=4&curso_id=3&serie_id=5&turma_id=23&ano=2025&busca=S HTTP/1.1 Cookie: i_educar_session=<low-privileged-session> ``` ![[Pasted image 20250818201357.png]] 3. We could observe that information about the students were returned. --- ### Impact This vulnerability exposes **Personally Identifiable Information (PII)** of students, including: - Names - Class, course, and enrollment status - Institutional relationships **Potential risks include:** - Unauthorized data harvesting of all students across institutions - Privacy violations (LGPD compliance risk) - Social engineering opportunities by attackers - Reputational damage for the institution **Severity:** High - Low privileges required - High impact (sensitive data exposure) - Easy to exploit with parameter tampering
ソース⚠️ https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Object%20Level%20Authorization%20(BOLA)%20allows%20enumeration%20of%20students%20via%20.module.HistoricoEscolar.processamentoApi.md
ユーザー
 marceloQz (UID 87549)
送信2025年08月20日 16:46 (10 月 ago)
モデレーション2025年08月29日 12:58 (9 days later)
ステータス承諾済み
VulDBエントリ321899 [Portabilis i-Educar 迄 2.10 processamentoApi 特権昇格]
ポイント20

概要

Do you need the next level of professionalism?

Upgrade your account now!