| Title | Portabilis i-Educar 2.9.10 Improper Handling of Insufficient Permissions or Privileges |
|---|
| Description | Users without the necessary privileges to change user types can modify the permissions of registered user types through an arbitrary request to the endpoint responsible for this action. This allows low-privileged users to escalate their privileges by granting maximum permissions to the user type they are associated with, compromising all sections of the application. |
|---|
| Source | ⚠️ https://docs.google.com/document/d/1yGubpU9I6JnkKsrdNRP6bUCeQv3ZDcknXAHOzFZBkGQ/ |
|---|
| User | m3m0o (UID 87980) |
|---|
| Submission | 10/08/2025 04:05 (9 months ago) |
|---|
| Moderation | 10/09/2025 13:59 (1 day later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327714 [Portabilis i-Educar up to 2.9.10 User Type AccessLevelController.php insecure inherited permissions] |
|---|
| Points | 18 |
|---|