9/23/2025/4 minutes to read/Tags: CVEs, SQLi, i-Educar
Introduction
While exploring i-Educar, I uncovered a critical time-based blind SQL Injection vulnerability in the id parameter of the /module/Cadastro/aluno endpoint.
This flaw allows attackers to execute arbitrary SQL queries silently against the backend database, putting data confidentiality, integrity, and availability at risk.
What is CVE-2025-10844?
The CVE-2025-10844 is a SQL Injection vulnerability in the /module/Cadastro/aluno endpoint of the i-Educar application.
The vulnerable parameter is id, which lacks proper input validation. This makes it possible to inject custom SQL queries, including PG_SLEEP() functions that introduce time delays, confirming the flaw via time-based behavior.
Technical Details
» Vulnerable Endpoint:/module/Cadastro/aluno
» Affected Parameter:id
» Payload Used (Decoded):
' AND 9581=(SELECT 9581 FROM PG_SLEEP(5)) AND 'bffB'='bffB
Proof of Concept (PoC)
To reproduce the vulnerability:
» Access /intranet/educar_aluno_lst.php and choose (click on) any register;