Overview
A high-severity time-based SQL injection vulnerability, identified as CVE-2025-65024, has been discovered in i-Educar, a widely used free and fully online school management software. This vulnerability affects versions 2.10.0 and prior. Exploitation of this flaw allows an attacker with valid authentication to execute arbitrary SQL commands against the application’s database, potentially leading to data breaches, system compromise, and other severe consequences. It is critical for organizations using affected versions of i-Educar to apply the available patch immediately.
Technical Details
The vulnerability resides within the ieducar/intranet/agenda_admin_cad.php script. Specifically, the cod_agenda GET parameter is directly concatenated into an SQL query without proper sanitization or input validation. This allows an authenticated attacker to inject malicious SQL code into the query by manipulating the cod_agenda parameter in the URL. The application then executes the injected SQL code, effectively granting the attacker control over database operations. Because the injection is time-based, attackers can use `SLEEP()` functions or similar methods to confirm the injection and extract data.
For example, a malicious request might look like this:
/ieducar/intranet/agenda_admin_cad.php?cod_agenda=1;SELECT SLEEP(5);--CVSS Analysis
- CVE ID: CVE-2025-65024
- Severity: HIGH
- CVSS Score: 7.2
A CVSS score of 7.2 indicates a high-severity vulnerability. This score reflects the potential for significant impact, including data confidentiality compromise, data integrity compromise, and system availability issues. The requirement for authentication somewhat lowers the score, but the ease of exploitation and the broad impact still classify this as a serious risk.
Possible Impact
Successful exploitation of this SQL injection vulnerability can have severe consequences, including:
- Data Breach: Attackers can steal sensitive student data, teacher information, and other confidential records stored in the database.
- Data Manipulation: Attackers can modify or delete critical data, leading to data corruption and operational disruptions.
- System Compromise: In some cases, attackers may be able to gain complete control of the server hosting the i-Educar application, potentially leading to further attacks on other systems.
- Denial of Service: Attackers can overload the database server with malicious queries, causing a denial of service for legitimate users.
Mitigation or Patch Steps
The recommended mitigation is to upgrade i-Educar to a version containing the fix for this vulnerability. The vulnerability has been patched in the following commit:
- Apply the patch available in commit 3e9763a.
If upgrading is not immediately possible, consider implementing a temporary workaround by sanitizing the cod_agenda GET parameter before it is used in the SQL query. However, this workaround is not a substitute for applying the official patch and should only be considered a temporary measure. Ensure you are using parameterized queries or prepared statements which will sanitize the data automatically.
