CVE-2025-9687: Broken Object Level Authorization (BOLA) allows enumeration of students via /module/HistoricoEscolar/processamentoApi

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-9687

Summary

A Broken Object Level Authorization (BOLA) vulnerability was identified in the /module/HistoricoEscolar/processamentoApi endpoint of the i-Educar application. This flaw allows low-privileged users (e.g., standard student/responsible accounts) to retrieve enrollment (matriculas) information of students outside their scope, exposing Personally Identifiable Information (PII) without proper authorization checks.

Details

Vulnerable Endpoint:
GET /module/HistoricoEscolar/processamentoApi

The application fails to enforceobject-level authorizationwhen handling this endpoint. As a result, any authenticated user can manipulate the request values to access sensitive information (names, IDs, enrollment status) of students.

PoC

• Authenticate as a non-privileged user (e.g., student, professor).

• Send the following request:

1
2

GET /module/HistoricoEscolar/processamentoApi?att=matriculas&oper=get&instituicao_id=1&escola_id=4&curso_id=3&serie_id=5&turma_id=23&ano=2025&busca=S HTTP/1.1 
Cookie: i_educar_session=<low-privileged-session>

• We could observe that information about the students were returned.

Impact

This vulnerability is a Broken Object Level Authorization (BOLA) issue (OWASP API Top 10 - 2023, A01), allowing sensitive data exposure. Any authenticated user can access personal information of other users. This can lead to:

• Unauthorized access to sensitive PII;
• Violation of data protection laws (e.g., LGPD, GDPR);
• Potential abuse of user data or impersonation;
• User enumeration.

Reference

https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9687.md

Finder

Marcelo Queiroz

By: CVE-Hunters