Portabilis i-Educar SQL Injection Vulnerability in ComponenteCurricular Module

A SQL injection vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the '/module/ComponenteCurricular/view' endpoint, specifically within the 'id' parameter. This vulnerability allows remote attackers to manipulate SQL queries, potentially leading to unauthorized data access, database enumeration, data manipulation, and denial-of-service conditions via time-based payloads.

Impact

Exploitation of this vulnerability allows for blind, time-based SQL injection, where an attacker can execute arbitrary SQL commands on the application's database. This could lead to unauthorized data access, database enumeration, data manipulation, and denial-of-service conditions by causing delays in server response times.

Reproduction

To reproduce this vulnerability, access the '/module/ComponenteCurricular/view' endpoint and insert a payload into the 'id' parameter. The application does not properly validate or sanitize input, allowing for the injection of SQL commands that are executed by the database. For example, a payload could be crafted to exploit the vulnerability by causing a delay in the server's response, indicating that the injected SQL command was executed.