CVE-2025-10844 CVE-2025-10844

CVE-2025-10844

Introduction

While exploring i-Educar, I uncovered a critical time-based blind SQL Injection vulnerability in the id parameter of the /module/Cadastro/aluno endpoint.

This flaw allows attackers to execute arbitrary SQL queries silently against the backend database, putting data confidentiality, integrity, and availability at risk.


What is CVE-2025-10844?

The CVE-2025-10844 is a SQL Injection vulnerability in the /module/Cadastro/aluno endpoint of the i-Educar application.

The vulnerable parameter is id, which lacks proper input validation. This makes it possible to inject custom SQL queries, including PG_SLEEP() functions that introduce time delays, confirming the flaw via time-based behavior.


Technical Details

» Vulnerable Endpoint: /module/Cadastro/aluno

» Affected Parameter: id

» Payload Used (Decoded):

' AND 9581=(SELECT 9581 FROM PG_SLEEP(5)) AND 'bffB'='bffB

Proof of Concept (PoC)

To reproduce the vulnerability:

» Access /intranet/educar_aluno_lst.php and choose (click on) any register;

» In the new page, click on: "Editar";

» The system redirects to a URL like:

http://localhost:8086/module/Cadastro/aluno?id=[ID]

» Now, modify the: id parameter with the payload:

/module/Cadastro/aluno?id=[ID]' AND 9581=(SELECT 9581 FROM PG_SLEEP(5)) AND 'bffB'='bffB

The server will take 5 seconds to respond, confirming that the SQL query was executed successfully:

You can access the full technical report with all step-by-step evidence here:

CVE-2025-10844 Report


Impact

This SQL Injection vulnerability can be exploited to:

  • Access sensitive data stored in the database;
  • Enumerate database schemas, tables, and columns;
  • Modify, delete, or insert arbitrary records;
  • Steal user credentials and personal information;
  • Perform a denial of service (DoS) attack by triggering long query delays;
  • In some cases, escalate to Remote Code Execution (RCE).

Official Sources

This vulnerability was reported responsibly and is publicly registered as:


Credits

Discovered with💜 by Karina Gante.

LinkedInGitHubGmailInstagram

Official Member of CVE-Hunters🏹


← Back to blog