Portabilis i-Educar Improper Authorization Vulnerability in the HistoricoEscolar Module

A vulnerability allowing improper authorization has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the '/module/HistoricoEscolar/processamentoApi' endpoint, where the application fails to enforce proper object-level authorization. This flaw enables low-privileged users, such as standard student or responsible accounts, to access unauthorized enrollment information of other students, thereby exposing Personally Identifiable Information (PII) without appropriate authorization checks. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive student information, including names, enrollment details, and institutional relationships. This could lead to privacy violations, unauthorized data harvesting across institutions, social engineering opportunities, and reputational damage for the affected institution.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and send a GET request to the '/module/HistoricoEscolar/processamentoApi' endpoint. Include parameters such as 'att' set to 'matriculas', 'oper' set to 'get', and other relevant identifiers for the institution, school, course, series, and class. The request must be made with an active session cookie for the low-privileged user.