Featured image of post CVE-2025-11047
Broken Access Control Moderate I-Educar Security WebApp BOLA

CVE-2025-11047

Broken Access Control (BOLA)

CVE-2025-11047: Broken Object Level Authorization (BOLA) allows enumeration of student records via /module/Api/aluno

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-11047

Summary

A Broken Object Level Authorization (BOLA) vulnerability was identified in the /module/Api/aluno endpoint of the i-Educar application.This flaw allows a user without proper permissions to query the endpoint and retrieve ** class information** by manipulating request parameters.

This flaw allows low-privileged users (e.g., standard student/responsible accounts) to retrieve enrollment (matriculas) information of students outside their scope, exposing Personally Identifiable Information (PII) without proper authorization checks.

Details

Vulnerable Endpoint: GET /module/Api/aluno

The application fails to enforce object-level authorizationwhen handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students.

Expected behavior:

  • Only authorized roles (e.g., administrators, coordinators, teachers linked to the class) should be able to access this data.
  • Unauthorized users should receive 403 Forbidden or an empty response.

Observed behavior:

  • Any authenticated user (even low-privilege accounts) can access this endpoint and retrieve sensitive information about academic classes.

PoC

  • Authenticate as a non-privileged user (e.g., student, professor).

  • Send the following request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

GET /module/Api/aluno?&oper=get&resource=matriculas&aluno_id=206 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://localhost/intranet/educar_aluno_det.php?cod_aluno=206
Cookie: i_educar_session=[LOW PRIVILEGED COOKIE]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

  • We could observe that informations about classes were returned.

Impact

This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to:

  • Unauthorized access to sensitive PII;
  • Violation of data protection laws (e.g., LGPD, GDPR);
  • Potential abuse of user data or impersonation;
  • User enumeration.

Reference

https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11047.md

Finder

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy