CVE-2025-65023

Name of the Vulnerable Software and Affected Versions i-Educar versions prior to 2.10.0

Description i-Educar is school management software. A time-based SQL injection exists in the ieducar/intranet/funcionario vinculo cad.php script for authenticated users. An attacker with an authenticated session can execute arbitrary SQL commands against the application's database. The issue is due to the improper handling of the cod funcionario vinculo GET parameter, which is directly concatenated into an SQL query without proper sanitization.

Recommendations Update i-Educar to a version later than 2.10.0.