CVE-2024-48325

Name of the Vulnerable Software and Affected Versions Portabilis i-Educar version 2.8.0

Description The issue concerns a SQL Injection vulnerability in the getDocuments function of the InstituicaoDocumentacaoController class. Specifically, the instituicao id parameter in the "/module/Api/InstituicaoDocumentacao?oper=get&resource=getDocuments&instituicao id" endpoint is not properly sanitized, allowing an unauthenticated remote attacker to inject malicious SQL commands. This could potentially lead to data compromise.

Recommendations For Portabilis i-Educar version 2.8.0, as a temporary workaround, consider validating the instituicao id parameter to prevent SQL injection attacks. Restrict access to the /module/Api/InstituicaoDocumentacao?oper=get&resource=getDocuments&instituicao id endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.