Portabilis i-Educar Broken Access Control Vulnerability in Batch Unassignment Endpoint

A broken access control vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the '/cancelar-enturmacao-em-lote/[ID]' endpoint, where improper access controls allow users to bypass authorization checks and access restricted functionalities. This vulnerability can be exploited remotely and requires authentication.

Impact

Exploitation of this vulnerability allows unauthorized access to functionalities meant for privileged users, potentially leading to unauthorized changes in the application, such as incorrectly unassigning students from classes.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and send a GET request to the '/cancelar-enturmacao-em-lote/[ID]' endpoint. The request must include the 'i_educar_session' cookie for authentication. Once the request is sent, access to the page and the functionality to batch unassign students from classes will be granted, despite the user's low privileges.