Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65024

CVE-2025-65024: Portabilis i-Educar SQLi Vulnerability

CVE-2025-65024 is an authenticated time-based SQL injection flaw in Portabilis i-Educar that allows attackers to execute arbitrary SQL commands. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2025-65024 Overview

CVE-2025-65024 is an authenticated time-based SQL injection vulnerability in i-Educar, a free, open-source school management platform maintained by Portabilis. The flaw affects versions 2.10.0 and prior and resides in the ieducar/intranet/agenda_admin_cad.php script. An attacker with a valid authenticated session can inject arbitrary SQL statements through the cod_agenda GET parameter, which is concatenated directly into a database query without sanitization [CWE-89]. Successful exploitation enables unauthorized data access, modification, and potentially full database compromise. The issue is resolved in commit 3e9763a.

Critical Impact

Authenticated attackers can execute arbitrary SQL queries against the i-Educar database, exposing student records, staff data, and other sensitive school information.

Affected Products

  • Portabilis i-Educar versions 2.10.0 and prior
  • Deployments using the agenda_admin_cad.php intranet module
  • Self-hosted school management instances exposed to authenticated users

Discovery Timeline

Technical Details for CVE-2025-65024

Vulnerability Analysis

The vulnerability is a time-based SQL injection in the agenda administration endpoint of i-Educar. When the application receives a request to agenda_admin_cad.php, the cod_agenda GET parameter is read directly from $_GET and embedded into a raw SQL string passed to the clsBanco::Consulta() database wrapper. Because the value is not cast, escaped, or parameterized, an authenticated user can append SQL syntax that the database engine evaluates as part of the query. Time-based payloads using functions such as pg_sleep() allow an attacker to confirm injection and extract data character by character, even when the response itself does not display query output.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command. The original code assigned $_GET['cod_agenda'] to $this->cod_agenda without type coercion, then interpolated it into a query against portal.agenda. The patch enforces an integer cast ((int) $_GET['cod_agenda']), eliminating the ability to inject SQL syntax through this parameter.

Attack Vector

Exploitation requires an authenticated session with access to the intranet agenda module. The attacker submits a crafted cod_agenda value containing SQL payloads to the vulnerable endpoint over the network. Because the underlying query targets a PostgreSQL schema (portal.agenda), time-delay primitives like pg_sleep enable blind extraction of arbitrary database contents, including credentials, student records, and configuration tables.

php
// Patch applied in commit 3e9763a
$this->editar = false;
if (isset($_GET['cod_agenda'])) {
-    $this->cod_agenda = $_GET['cod_agenda'];
+    $this->cod_agenda = (int) $_GET['cod_agenda'];
    $db = new clsBanco;
    $db->Consulta(consulta: "SELECT cod_agenda, ref_ref_cod_pessoa_exc, ref_ref_cod_pessoa_cad,  nm_agenda, publica, envia_alerta, data_cad, data_edicao, ref_ref_cod_pessoa_own FROM portal.agenda WHERE cod_agenda='{$this->cod_agenda}'");
    if ($db->ProximoRegistro()) {

Source: portabilis/i-educar commit 3e9763a

Detection Methods for CVE-2025-65024

Indicators of Compromise

  • HTTP GET requests to /ieducar/intranet/agenda_admin_cad.php with non-numeric cod_agenda values
  • Query strings containing SQL keywords such as SELECT, UNION, SLEEP, or pg_sleep in the cod_agenda parameter
  • Anomalously long response times for requests against agenda_admin_cad.php consistent with time-based blind injection
  • PostgreSQL logs showing parse errors or unexpected queries originating from the i-Educar application user

Detection Strategies

  • Inspect web server access logs for cod_agenda parameter values that are not strictly integers
  • Enable PostgreSQL log_statement = 'all' temporarily to capture malformed queries against portal.agenda
  • Deploy WAF rules that block SQL metacharacters and time-delay function names in query parameters targeting i-Educar URIs
  • Correlate authenticated session activity with abnormal query latency to identify blind injection probing

Monitoring Recommendations

  • Forward i-Educar web and database logs to a centralized analytics platform for retention and search
  • Alert on repeated 500-class responses or sustained high-latency responses from agenda endpoints
  • Track authenticated users generating an unusual volume of requests to agenda_admin_cad.php
  • Monitor for new or unexpected database accounts, roles, or privilege grants in PostgreSQL

How to Mitigate CVE-2025-65024

Immediate Actions Required

  • Upgrade i-Educar to a release that includes commit 3e9763a or later
  • Restrict access to the intranet agenda module to trusted administrative users only
  • Rotate database credentials and review session tokens if exploitation is suspected
  • Audit the portal.agenda and related tables for unauthorized reads or modifications

Patch Information

The vulnerability is fixed in commit 3e9763a561b328edaed21a7dc2e0dba0bbbc6e22. The patch casts the cod_agenda GET parameter to an integer before using it in the SQL query. Refer to the GitHub Security Advisory GHSA-6c8p-xqcv-rghx for the official guidance from Portabilis.

Workarounds

  • Place i-Educar behind a web application firewall that enforces integer-only values for the cod_agenda parameter
  • Apply network-level access controls limiting the intranet module to internal IP ranges or VPN users
  • Reduce the privileges of the database role used by i-Educar to the minimum required tables and operations
  • If patching is not immediately possible, manually apply the one-line integer cast from commit 3e9763a to agenda_admin_cad.php
bash
# Example WAF rule pattern (ModSecurity) to block non-integer cod_agenda values
SecRule ARGS:cod_agenda "!@rx ^[0-9]+$" \
    "id:1065024,phase:2,deny,status:400,\
    msg:'CVE-2025-65024: non-integer cod_agenda parameter blocked',\
    tag:'sqli',tag:'i-educar'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne