CVE-2025-65023

High CVSS: 7.2

i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionario_vinculo_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_funcionario_vinculo GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit a00dfa3.

Vendor

Portabilis

Product

I-educar

CWE

CWE-89

Yayın Tarihi

2025-11-19 16:15:49

Güncelleme

2025-11-20 17:20:18

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-89 I-educar HIGH Portabilis 2025

Referanslar

https://github.com/portabilis/i-educar/commit/a00dfa3f129bc84e27873aa01cbd3f82e5b6c6c8 https://github.com/portabilis/i-educar/security/advisories/GHSA-8rv6-x8h9-fjfc https://github.com/portabilis/i-educar/security/advisories/GHSA-8rv6-x8h9-fjfc

Benzer Kayıtlar

Medium

CVE-2026-2064

A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functiona…

Medium

CVE-2026-2015

A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file FinalStatu…

Medium

CVE-2025-9638

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portabilis i-Educa…

High

CVE-2025-65022

i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL…

High

CVE-2025-65024

i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL…

Medium

CVE-2025-11554

A security vulnerability has been detected in Portabilis i-Educar up to 2.9.10. Affected by this issue is some unknown f…