CVE-2025-9532

MEDIUM

Portabilis i-Educar <2.10 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-9532. PoCs published by KarinaGante.

AI-analyzed exploit summary The repository contains detailed writeups for multiple CVEs, including CVE-2025-10909, which describes a stored XSS vulnerability via SVG file upload bypass in NovoSGA. The writeup includes technical details, PoC payloads, and impact analysis.

Description

A flaw has been found in Portabilis i-Educar up to 2.10. This impacts an unknown function of the file /RegraAvaliacao/view. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

github WRITEUP

by KarinaGante · htmlpoc

https://github.com/KarinaGante/KG-Sec/tree/main/CVEs/i-Educar/CVE-2025-9532.md

View Code ZIP pw:eip

The repository contains detailed writeups for multiple CVEs, including CVE-2025-10909, which describes a stored XSS vulnerability via SVG file upload bypass in NovoSGA. The writeup includes technical details, PoC payloads, and impact analysis.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: NovoSGA

Auth required

Prerequisites: access to admin endpoint · ability to upload SVG files

MITRE ATT&CK