Portabilis i-Educar Improper Authorization Vulnerability in the Turma API Endpoint

A Broken Object Level Authorization (BOLA) vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the 'turma' API endpoint, specifically within the '/module/Api/turma' file. This vulnerability allows authenticated users, even those with low privileges, to access and enumerate class information by manipulating request parameters. While individual student data is not exposed, the unauthorized disclosure of academic structure details could be exploited for further attacks or enumeration purposes.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive academic information, including class details, courses, and schedules. This exposure could be used to map the academic structure and identify valid IDs for targeted attacks, especially in conjunction with other vulnerabilities that affect student records.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and send a GET request to the '/module/Api/turma' endpoint. Include parameters such as 'oper', 'resource', and 'id' to retrieve class information. The response will contain sensitive data about the academic classes, demonstrating the improper authorization issue.