CVE-2025-8790
BaseFortify
Publication date: 2025-08-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-educar | to 2.9.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8790 is a Broken Object Level Authorization (BOLA) vulnerability in Portabilis i-Educar versions up to 2.9.0, specifically in the API endpoint /module/Api/pessoa. It allows any authenticated user with low privileges to access sensitive personal information of other users by manipulating the 'id' parameter in the API request. The API does not properly enforce authorization checks, so a user can send a crafted request with another user's ID and retrieve that user's personal data without permission. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized exposure of sensitive personally identifiable information (PII) to users who should not have access. This can result in data abuse, impersonation, user enumeration, and privacy violations. Attackers can remotely exploit this flaw easily, potentially compromising confidentiality of user data within the affected system. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability leads to unauthorized disclosure of personal data, which violates data protection regulations such as GDPR and LGPD. Exposure of sensitive personal information without proper authorization breaches compliance requirements related to data confidentiality and user privacy under these standards. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the API endpoint /module/Api/pessoa with manipulated id parameters while authenticated as a low-privileged user. For example, after authenticating, you can send a GET request to the endpoint with different id values to see if data from other users is returned. A sample command using curl would be: curl -i -H "Cookie: <auth_cookie>" "http://<target>/module/Api/pessoa?&oper=get&resource=pessoa&id=1". If the response returns data for user id=1 despite being authenticated as a different user, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint to only trusted users, monitoring and logging API requests for suspicious activity, and considering replacing or upgrading the affected Portabilis i-Educar product since no vendor patch or mitigation has been provided. Additionally, limit exposure by applying network-level controls such as firewall rules to restrict access to the API endpoint. Since the vendor has not responded and no patches are available, these steps help reduce risk until a fix or replacement is implemented. [2]