Portabilis i-Educar Information Disclosure Vulnerability via diariApi

A Broken Object Level Authorization (BOLA) vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the diariApi endpoint of the Avaliacao module, where the application fails to enforce proper object-level authorization. This flaw allows any authenticated user, including those with low privileges, to access sensitive information about academic classes by manipulating request parameters. While individual student data is not exposed, the vulnerability leads to unauthorized disclosure of academic structure information, which could be used for further exploitation or enumeration of class-related data.

Impact

Exploitation of this vulnerability results in the unauthorized disclosure of sensitive academic information, including details about classes, courses, and schedules. This exposure could be used to map out the academic structure and identify valid IDs for further attacks, especially if combined with other vulnerabilities that allow access to student records.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and send a GET request to the diariApi endpoint with specific parameters related to the academic institution, school, course, series, turma, and other relevant identifiers. The response will include sensitive information about classes, demonstrating the lack of proper authorization enforcement.