Portabilis i-Educar CVE-2025-11554
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Portabilis i-Educar up to 2.9.10. Affected by this issue is some unknown functionality of the file app/Http/Controllers/AccessLevelController.php of the component User Type Handler. The manipulation leads to insecure inherited permissions. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
Insecure inherited permissions in Portabilis i-Educar up to version 2.9.10 allow authenticated remote attackers to escalate privileges through the User Type Handler component in AccessLevelController.php, potentially gaining unauthorized access to protected functionality. The vulnerability requires valid login credentials (PR:L) but carries low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists, though EPSS score of 0.06% (19th percentile) suggests limited real-world exploitation despite public disclosure.
Technical ContextAI
The vulnerability resides in the AccessLevelController.php file within the User Type Handler component of Portabilis i-Educar, a PHP-based educational management system. The root cause is classified under CWE-266 (Improper Privilege Management), indicating that the application fails to properly validate or enforce access control boundaries when inheriting permissions across user types. The affected CPE is cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:*, meaning all versions up to and including 2.9.10 are vulnerable. The attack vector is network-based (AV:N), with low attack complexity (AC:L) and no target interaction required (AT:N/UI:N), but exploitation mandates prior authentication (PR:L), limiting the threat surface to users with valid system access.
RemediationAI
Upgrade Portabilis i-Educar to a patched version beyond 2.9.10. Contact Portabilis directly or monitor their GitHub repository (https://github.com/portabilis/i-educar) for release notes indicating the version that fixes CWE-266 privilege inheritance in AccessLevelController.php. As an interim compensating control, restrict administrative role assignments to trusted personnel only, and implement periodic audits of user type permissions to detect unauthorized privilege escalation. Database-level access controls on permission tables and logging of access level changes can provide visibility into potential exploitation attempts. These controls do not eliminate the vulnerability but reduce the impact window if authentication is compromised.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today