Portabilis i-Educar CVE-2025-7868
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /intranet/educar_calendario_dia_motivo_cad.php of the component Calendar Module. The manipulation of the argument Motivo/descricao results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting in Portabilis i-Educar up to version 2.10 allows authenticated remote attackers to inject malicious scripts via the Motivo/descricao parameter in the Calendar Module (/intranet/educar_calendario_dia_motivo_cad.php), requiring user interaction to execute. Public exploit code is available and the vendor has not responded to disclosure attempts despite early notification.
Technical ContextAI
This vulnerability exploits improper input sanitization in a PHP-based educational management system. The Calendar Module's day-reason addition functionality fails to adequately escape or validate the Motivo/descricao (reason/description) parameter before storing or rendering it in HTML context. The attack vector is CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS flaw where user-supplied data is persisted in the application database and later rendered to other users or the same user without encoding, allowing arbitrary JavaScript execution within the security context of the application.
RemediationAI
Upgrade Portabilis i-Educar to a version later than 2.10 if available from the vendor; however, no patched version number is confirmed in available data due to vendor non-responsiveness. As an immediate compensating control, implement HTML entity encoding (e.g., htmlspecialchars() with ENT_QUOTES|ENT_HTML5 flag) on all output of the Motivo/descricao parameter in /intranet/educar_calendario_dia_motivo_cad.php and similar calendar input fields. Additionally, implement Content Security Policy (CSP) headers with script-src 'self' to prevent inline script execution, and apply input validation to reject or sanitize HTML/JavaScript metacharacters in the Motivo field at ingestion time. Enable HTTP-only and secure flags on session cookies to reduce session hijacking risk if XSS is exploited. Monitor application logs for unusual calendar module activity or POST requests with encoded HTML entities in Motivo parameters.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today