Portabilis i-Educar Broken Object Level Authorization Vulnerability in API Endpoint Allowing Unauthorized Data Access

A Broken Object Level Authorization (BOLA) vulnerability has been identified in Portabilis i-Educar versions through 2.9.0. This vulnerability allows authenticated low-privileged users to access sensitive information of other users by manipulating the 'id' parameter in the 'pessoa' API endpoint. The endpoint lacks proper authorization checks, enabling users to retrieve data from other profiles without permission.

Impact

Exploitation of this vulnerability allows unauthorized access to personal information of other users, potentially leading to misuse of data, violation of data protection regulations, and user enumeration.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user, such as a student or professor. Then, send a request to the '/module/Api/pessoa' endpoint, including the 'id' parameter of the user whose data is to be accessed. The response will include the requested user's data, regardless of authorization.