CVE-2025-65024

moderate-risk

Published 2025-11-19

i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit 3e9763a.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (1)

I-Educar

Affected Vendors

Portabilis

References (2)

Patch https://github.com/portabilis/i-educar/commit/3e9763a561b328edaed21a7dc2e0dba0bb...

Exploit https://github.com/portabilis/i-educar/security/advisories/GHSA-6c8p-xqcv-rghx

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal