Key Information Vulnerability Type SQL Injection (Time-based Blind) Affected Scope The endpoint in the i-Educar application, specifically in the parameter. Vulnerability Details Vulnerable Endpoint: Parameter: Access Path: Navigate to Exploitation Conditions Requires an account with permissions to create/list the "Escola" menu. The application fails to properly validate and sanitize user input in the parameter. PoC (Proof of Concept) Payload: Effect: Triggers a 5-second delay in server response, confirming susceptibility to time-based blind SQL injection. Example Request Impact Unauthorized Data Access: Exposure of sensitive information such as credentials, personal data, or configuration details. Database Enumeration: Extraction of detailed database schema, tables, and columns. Data Manipulation: Ability to add, modify, or delete database records. Denial of Service (DoS): Degradation of system availability via time-based queries. Potential Privilege Escalation to RCE: May lead to Remote Code Execution when combined with other vulnerabilities and specific database features. References CVE-2025-9607 VulnDB-321785 i-Educar - Official Repository Discoverers Marcelo Queiroz CVE-Hunters