Portabilis i-Educar Improper Authorization Vulnerability in Final Status Import Tool

A Broken Function Level Authorization (BFLA) vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the Final Status Import tool, specifically within the FinalStatusImportService.php file. This vulnerability allows authenticated users with 'School' level permissions to bypass authorization checks and modify student records across different school units by manipulating the school_id argument. The exploitation can be done remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in student records, allowing attackers to alter academic statuses to any available option, including 'Deceased'. This not only compromises the integrity of the educational data but also disrupts official statistics used in government reports, potentially causing legal issues and loss of funding.

Reproduction

The vulnerability can be reproduced by an authenticated user with 'School' level permissions. The user can upload a CSV file containing enrollment IDs from students in different school units through the Final Status Import tool. The backend service will process these IDs without verifying if they belong to the user's authorized school, resulting in unauthorized modifications of the students' final status.