Vulnerability Description
i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit 3e9763a.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Portabilis | I-Educar | <= 2.10.0 |
Related Weaknesses (CWE)
References
- https://github.com/portabilis/i-educar/commit/3e9763a561b328edaed21a7dc2e0dba0bbPatch
- https://github.com/portabilis/i-educar/security/advisories/GHSA-6c8p-xqcv-rghxExploitVendor Advisory
FAQ
What is CVE-2025-65024?
CVE-2025-65024 is a vulnerability with a CVSS score of 7.2 (HIGH). i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php scr...
How severe is CVE-2025-65024?
CVE-2025-65024 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-65024?
Check the references section above for vendor advisories and patch information. Affected products include: Portabilis I-Educar.