Description
A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file FinalStatusImportService.php of the component Final Status Import. Executing a manipulation of the argument school_id can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization Leading to Unauthorized Data Access
Action: Patch
AI Analysis

Impact

Portabilis i‑Educar exposes a weakness in FinalStatusImportService.php where manipulating the school_id argument can bypass authorization checks. The flaw, classified as improper authorization, permits a remote attacker to access or modify data belonging to other schools. The attack can be carried out over the network and has a publicly available exploit, escalating the risk of confidential data leakage or integrity compromise.

Affected Systems

All installations of Portabilis i‑Educar up to and including version 2.10 are affected. The vulnerability resides in the Final Status Import component and impacts any instance where external users can invoke the service with a crafted school_id.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, but the EPSS probability of less than 1% suggests that active exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread attacks yet. An attacker can exploit the defect by sending a crafted request to the FinalStatusImportService endpoint, altering the school_id parameter, and achieving unauthorized data access. Because the flaw is remote and carries a public proof‑of‑concept, it should be treated as a moderate threat pending a vendor fix.

Generated by OpenCVE AI on April 17, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade to a non‑affected i‑Educar release (e.g., versions newer than 2.10).
  • If a patch is unavailable, restrict external access to the Final Status Import endpoint using firewall rules or network segmentation, allowing only trusted administrative hosts to reach it.
  • Implement application‑level role‑based access controls to ensure that only authorized users can supply a school_id for status imports.
  • Monitor application logs for anomalous school_id values or repeated unauthorized access attempts and trigger alerts for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Portabilis
Portabilis i-educar
Vendors & Products Portabilis
Portabilis i-educar

Fri, 06 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file FinalStatusImportService.php of the component Final Status Import. Executing a manipulation of the argument school_id can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Portabilis i-Educar Final Status Import FinalStatusImportService.php improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Portabilis I-educar
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:24:00.573Z

Reserved: 2026-02-05T19:32:26.013Z

Link: CVE-2026-2015

cve-icon Vulnrichment

Updated: 2026-02-06T13:26:00.695Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T11:15:51.127

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses