Portabilis i-Educar Broken Object Level Authorization Vulnerability in the API Module

A Broken Object Level Authorization (BOLA) vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the '/module/Api/aluno' endpoint, where the application fails to properly authorize requests based on the 'aluno_id' parameter. This flaw allows low-privileged users, such as standard student or responsible accounts, to access enrollment information of other students, thereby exposing Personally Identifiable Information (PII) without appropriate authorization checks. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive student information, including names, IDs, enrollment statuses, and institutional relationships. This could lead to widespread data harvesting, privacy violations, opportunities for social engineering attacks, and reputational damage to the affected institutions.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and send a GET request to the '/module/Api/aluno' endpoint. Include the 'aluno_id' parameter to access enrollment information of students outside the user's scope. The response will contain sensitive data such as names and enrollment details.