Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65022

CVE-2025-65022: Portabilis i-Educar SQLi Vulnerability

CVE-2025-65022 is a time-based SQL injection flaw in Portabilis i-Educar that allows authenticated attackers to execute arbitrary SQL commands. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-65022 Overview

CVE-2025-65022 is an authenticated time-based SQL injection vulnerability in i-Educar, a free open-source school management platform maintained by Portabilis. The flaw resides in ieducar/intranet/agenda.php and affects versions 2.10.0 and prior. The cod_agenda request parameter is concatenated directly into multiple SQL queries without sanitization, allowing an authenticated attacker to execute arbitrary SQL against the backend database. The maintainers patched the issue in commit b473f92 by casting the parameter to an integer before use.

Critical Impact

Authenticated attackers can extract, modify, or destroy data in the i-Educar database, compromising student records, grades, and administrative information.

Affected Products

  • Portabilis i-Educar versions 2.10.0 and earlier
  • The ieducar/intranet/agenda.php script
  • Deployments using the unpatched clsAgenda class invocation path

Discovery Timeline

  • 2025-11-19 - CVE-2025-65022 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-65022

Vulnerability Analysis

The vulnerability is a classic SQL injection [CWE-89] in the agenda (calendar) functionality of i-Educar. When a user requests the agenda view, the cod_agenda HTTP parameter is read from $_REQUEST and passed directly into the clsAgenda class constructor, which builds SQL statements through string concatenation. Because the parameter is never validated, type-cast, or parameterized, an authenticated user can append SQL syntax that the database executes.

Exploitation requires only an authenticated session, but i-Educar deployments commonly grant accounts to teachers, staff, and administrative users. Time-based blind techniques such as SLEEP() payloads allow attackers to enumerate database contents one bit at a time, even when query results are not reflected in the response.

Root Cause

The root cause is improper neutralization of special elements in an SQL command. The application trusts client-supplied input for cod_agenda and concatenates it into multiple queries inside clsAgenda. No prepared statements, parameter binding, or input validation are applied before query execution.

Attack Vector

An attacker authenticates to the i-Educar intranet and issues a crafted request to ieducar/intranet/agenda.php with a malicious cod_agenda value. The payload is reflected into SQL queries handled by the clsAgenda class, enabling read and write access to arbitrary tables in the application database.

php
// Patch from commit b473f92 - ieducar/intranet/agenda.php
Portabilis_View_Helper_Application::loadStylesheet(viewInstance: $this, files: '/intranet/styles/agenda.css');

if ($_REQUEST['cod_agenda']) {
-    $this->agenda = $_REQUEST['cod_agenda'];
-    $objAgenda = new clsAgenda(int_cod_editor: $this->editor, int_cod_pessoa_dono: false, int_cod_agenda: $_REQUEST['cod_agenda']);
+    $this->agenda = (int) $_REQUEST['cod_agenda'];
+    $objAgenda = new clsAgenda(int_cod_editor: $this->editor, int_cod_pessoa_dono: false, int_cod_agenda: $this->agenda);
} else {
    $objAgenda = new clsAgenda(int_cod_editor: $this->editor, int_cod_pessoa_dono: $this->editor, int_cod_agenda: false);
    $this->agenda = $objAgenda->getCodAgenda();

Source: GitHub commit b473f92. The fix forces cod_agenda to an integer with (int) before it reaches the SQL layer, neutralizing injected syntax.

Detection Methods for CVE-2025-65022

Indicators of Compromise

  • HTTP requests to /ieducar/intranet/agenda.php containing SQL keywords such as SLEEP, BENCHMARK, UNION, SELECT, or -- in the cod_agenda parameter
  • Web server logs showing unusually long response times for agenda.php requests, consistent with time-based blind SQL injection probes
  • Database logs containing errors or queries referencing concatenated values for cod_agenda that are not integers
  • Authenticated sessions issuing high volumes of agenda requests with varying cod_agenda payloads

Detection Strategies

  • Inspect access logs for cod_agenda parameter values that contain non-numeric characters, URL-encoded quotes (%27), or SQL operators
  • Enable PostgreSQL query logging and alert on statements originating from agenda.php that include pg_sleep, SLEEP, or boolean tautologies
  • Deploy a web application firewall (WAF) rule that blocks SQL metacharacters in the cod_agenda parameter

Monitoring Recommendations

  • Monitor database response time anomalies tied to specific authenticated user sessions interacting with the agenda module
  • Track HTTP 500 responses from agenda.php that may indicate failed injection attempts
  • Correlate authentication events with bursts of agenda requests to identify compromised or abusive accounts

How to Mitigate CVE-2025-65022

Immediate Actions Required

  • Upgrade i-Educar to a version that includes commit b473f92 or later
  • Audit existing user accounts and revoke unused or stale credentials that could provide the required authenticated access
  • Review database audit logs for evidence of unauthorized queries against the i-Educar schema since the affected version was deployed
  • Rotate database credentials if compromise is suspected and reset user passwords for the intranet

Patch Information

The vulnerability is fixed in commit b473f92. Full details are published in the GitHub Security Advisory GHSA-4hrj-5gwx-r4w4. The fix casts the cod_agenda parameter to an integer before passing it to the clsAgenda constructor, preventing injection through that parameter.

Workarounds

  • Restrict network access to the i-Educar intranet to trusted users only while patching is planned
  • Place a WAF in front of i-Educar with a rule that rejects requests where cod_agenda is not a positive integer
  • Temporarily disable the agenda module for non-administrative roles until the patched commit is deployed
bash
# Example ModSecurity rule to enforce integer-only cod_agenda values
SecRule ARGS:cod_agenda "!@rx ^[0-9]+$" \
    "id:1065022,phase:2,deny,status:400,\
    msg:'CVE-2025-65022: Non-integer cod_agenda blocked',\
    tag:'sqli',tag:'i-educar'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.