| 제목 | Portabilis i-Educar 2.10.0 Authorization Bypass |
|---|
| 설명 | Broken Function Level Authorization (BFLA) allows unauthorized users to alter student grades
Summary
An API endpoint in i-Educar 2.9.0 is vulnerable to Broken Function Level Authorization (BFLA). An unauthorized user is able to modify student grades by directly accessing the /module/Api/Diario endpoint, bypassing permission controls. This leads to severe integrity issues, where anyone with access to the API format can tamper with academic records.
Details
The endpoint /module/Api/Diario does not enforce proper authorization checks to validate whether the calling user has the right to alter student grades. Even a user without any profile or assigned permissions can successfully submit a request and change the grades of students in the system.
There is no validation of session roles or associated permissions before executing sensitive academic actions.
PoC
1 - Create a new user with no privileges.
2 - Prepare a request to the /module/Api/Diario endpoint with the data to submit a student grade, using the low privillege user cookie then send the request.
Print:https://github.com/CVE-Hunters/CVE/blob/main/images/bfla002.png?raw=true
Observe the results:
{
"oper": "post",
"resource": "grades",
"msgs": [{
"msg": "Grades successfully posted!",
"type": "success"
}],
"any_error_msg": false
}
Impact
This is a Broken Function Level Authorization (BFLA) vulnerability, as categorized by OWASP API Security Top 10 (2023) - API4. The consequences include:
Tampering with academic data without authorization.
Loss of data integrity in school records.
Potential legal and reputational damage for educational institutions.
|
|---|
| 원천 | ⚠️ https://github.com/CVE-Hunters/CVE/blob/main/i-educar/Broken%20Function%20Level%20Authorization%20(BFLA)%20allows%20unauthorized%20users%20to%20alter%20student%20grades.md |
|---|
| 사용자 | nmmorette (UID 87361) |
|---|
| 제출 | 2025. 07. 31. AM 01:02 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 09. AM 07:11 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319317 [Portabilis i-Educar 까지 2.9.0 API Endpoint /module/Api/Diario 권한 상승] |
|---|
| 포인트들 | 20 |
|---|