Portabilis i-Educar Authorization Bypass Vulnerability in API Endpoint

A Broken Function Level Authorization vulnerability has been identified in Portabilis i-Educar versions through 2.9.0. This issue resides in the API Endpoint '/module/Api/Diario', where proper authorization checks are not enforced. As a result, unauthorized users can remotely access the endpoint and modify student grades, leading to significant integrity issues in academic records.

Impact

Exploitation of this vulnerability allows unauthorized users to alter student grades, bypassing all permission controls. This manipulation of academic data could result in severe integrity issues, with potential legal and reputational consequences for educational institutions.

Reproduction

To reproduce this vulnerability, create a new user account with no privileges. Once the account is set up, send a request to the '/module/Api/Diario' endpoint using the cookie from the low-privilege user. Include the data for the grade to be changed. The request will be processed successfully, indicating that the grade has been altered.