CVE-2024-48325 Information

Description

Portabilis i-Educar 2.8.0 is vulnerable to SQL Injection in the \getDocuments\ function of the \InstituicaoDocumentacaoController\ class. The \instituicao_id\ parameter in /module/Api/InstituicaoDocumentacao?oper=get&resource=getDocuments&instituicao_id\ is not properly sanitized allowing an unauthenticated remote attacker to inject malicious SQL commands.

Reference

https://github.com/osvaldotenorio/cve-2024-48325