i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionario_vinculo_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_funcionario_vinculo GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit a00dfa3.
References
| Link | Resource |
|---|---|
| https://github.com/portabilis/i-educar/commit/a00dfa3f129bc84e27873aa01cbd3f82e5b6c6c8 | Patch |
| https://github.com/portabilis/i-educar/security/advisories/GHSA-8rv6-x8h9-fjfc | Exploit Vendor Advisory |
| https://github.com/portabilis/i-educar/security/advisories/GHSA-8rv6-x8h9-fjfc | Exploit Vendor Advisory |
Configurations
History
20 Nov 2025, 17:20
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/portabilis/i-educar/commit/a00dfa3f129bc84e27873aa01cbd3f82e5b6c6c8 - Patch | |
| References | () https://github.com/portabilis/i-educar/security/advisories/GHSA-8rv6-x8h9-fjfc - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:* | |
| First Time |
Portabilis i-educar
Portabilis |
19 Nov 2025, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/portabilis/i-educar/security/advisories/GHSA-8rv6-x8h9-fjfc - |
19 Nov 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-19 16:15
Updated : 2025-11-20 17:20
NVD link : CVE-2025-65023
Mitre link : CVE-2025-65023
CVE.ORG link : CVE-2025-65023
JSON object : View
Products Affected
portabilis
- i-educar
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')