CVE-2025-10845 is a medium-severity SQL Injection vulnerability affecting Portabilis i-Educar versions up to 2.10. The vulnerability exists in an unspecified part of the file /module/ComponenteCurricular/view, where the manipulation of the 'ID' argument allows an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L/VI:L/VA:L), suggesting that while exploitation can lead to unauthorized data access or modification, the scope and impact are somewhat constrained. The CVSS score of 5.3 reflects a medium risk level. Although no public exploits are currently known in the wild, the exploit code has been made publicly available, increasing the risk of future exploitation. The vulnerability arises from insufficient input validation or parameterized query usage in handling the 'ID' parameter, allowing attackers to craft SQL payloads that can manipulate backend database queries. This can lead to unauthorized data disclosure, data tampering, or denial of service conditions within the affected i-Educar system. Given that i-Educar is an educational management platform, the vulnerability could expose sensitive student, staff, or institutional data if exploited.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a significant risk to the confidentiality and integrity of educational data. Exploitation could lead to unauthorized access to student records, grades, and other sensitive information, potentially violating GDPR and other data protection regulations. Data tampering could disrupt academic records and administrative processes, impacting operational continuity. The remote and unauthenticated nature of the exploit increases the threat surface, especially for institutions with internet-facing i-Educar deployments. Additionally, reputational damage and regulatory penalties could arise from data breaches. The medium severity suggests that while the impact is serious, it may not lead to full system compromise or widespread availability disruption. However, the presence of publicly available exploit code increases the urgency for mitigation to prevent opportunistic attacks.

Organizations should prioritize updating Portabilis i-Educar to a version beyond 2.10 where this vulnerability is patched. If immediate patching is not feasible, implement strict input validation and parameterized queries on the 'ID' parameter within the /module/ComponenteCurricular/view module to prevent SQL injection. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting this endpoint. Conduct thorough code reviews and penetration testing focused on SQL injection vectors in the affected module. Restrict network access to the i-Educar application to trusted IP ranges where possible, minimizing exposure to remote attackers. Monitor logs for suspicious query patterns or repeated failed attempts to exploit the 'ID' parameter. Educate IT staff and administrators about this vulnerability and the importance of timely patching and monitoring. Finally, ensure regular backups of educational data to enable recovery in case of data integrity compromise.