9/23/2025/3 minutes to read/Tags: CVEs, SQLi, i-Educar
Introduction
While exploring i-Educar, I uncovered a critical time-based blind SQL Injection vulnerability in the id parameter of the /module/ComponenteCurricular/view endpoint.
This flaw allows attackers to execute arbitrary SQL queries silently against the backend database, putting data confidentiality, integrity, and availability at risk.
What is CVE-2025-10845?
The CVE-2025-10845 is a SQL Injection vulnerability in the /module/ComponenteCurricular/view endpoint of the i-Educar application.
The vulnerable parameter is id, which lacks proper input validation. This makes it possible to inject custom SQL queries, including PG_SLEEP() functions that introduce time delays, confirming the flaw via time-based behavior.