Submeter #625918: Portabilis i-Educar 2.10.0 Exposure of Private Personal Information to an Unauthorized Actoinformação

Título	Portabilis i-Educar 2.10.0 Exposure of Private Personal Information to an Unauthorized Acto
Descrição	Broken Object Level Authorization (BOLA) in pessoa API Endpoint Allows Unauthorized Access to Other Users Data Summary A Broken Object Level Authorization (BOLA) vulnerability was identified in the i-educar 2.8 and 2.9 API, allowing any authenticated low-privileged user to access sensitive information from other users by manipulating the id parameter in the pessoa resource endpoint. Details The endpoint /module/Api/pessoa lacks proper authorization checks to ensure that the authenticated user is only able to access their own data. By altering the id parameter in the following request, any authenticated user can retrieve information about other users: GET /module/Api/pessoa?&oper=get&resource=pessoa&id=1 HTTP/1.1 PoC 1-Authenticate as a non-privileged user (e.g., student, professor). Print:https://github.com/CVE-Hunters/CVE/raw/main/images/bola001.png 2-Send the following request targeting id=1 user GET /module/Api/pessoa?&oper=get&resource=pessoa&id=1 HTTP/1.1 Cookie: i_educar_session=VALID_SESSION_COOKIE Print:https://github.com/CVE-Hunters/CVE/raw/main/images/bfla002.png 3.Observe that user data for id=1 is returned, even if the logged-in user is not authorized to access that profile. Print:https://github.com/CVE-Hunters/CVE/raw/main/images/bola003.png Impact This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to: Unauthorized access to sensitive PII Violation of data protection laws (e.g., LGPD, GDPR) Potential abuse of user data or impersonation User enumeration
Fonte	⚠️ https://github.com/CVE-Hunters/CVE/blob/main/i-educar/Broken%20Object%20Level%20Authorization%20(BOLA)%20in%20pessoa%20API%20Endpoint%20Allows%20Unauthorized%20Access%20to%20Other%20Users%20Data.md
Utilizador	nmmorette (UID 87361)
Submissão	31/07/2025 01h04 (há 9 meses)
Moderação	09/08/2025 07h11 (9 days later)
Estado	Aceite
Entrada VulDB	319318 [Portabilis i-Educar até 2.9.0 API Endpoint /module/Api/pessoa ID Elevação de Privilégios]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!