Portabilis i-Educar Improper Authorization Vulnerability in the '/periodo-lancamento' Endpoint

A broken access control vulnerability has been identified in Portabilis i-Educar versions through 2.10. This issue affects the '/periodo-lancamento' endpoint, where the application fails to properly validate user permissions. As a result, low-privileged users can access functionality intended for higher-privileged users, bypassing authorization checks. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows unauthorized access to restricted functionality, potentially leading to unauthorized changes in the application or access to sensitive information. In an educational context, this could result in improper handling of academic records or data.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and send a GET request to the '/periodo-lancamento' endpoint. The request must include the session cookie for the low-privileged user. Once the request is sent, the response will indicate access to the page and functionality that should be restricted for that user level.