Portabilis i-Diario CVE-2025-7870
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in Portabilis i-Diario 1.5.0. This affects an unknown part of the component justificativas-de-falta Endpoint. The manipulation of the argument Anexo leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting (XSS) in Portabilis i-Diario 1.5.0 allows authenticated users to inject malicious scripts via the Anexo parameter in the justificativas-de-falta endpoint, impacting other users who view the affected content. The vulnerability requires user interaction and authenticated access, with an EPSS score of 0.05% indicating low real-world exploitation likelihood despite public exploit availability. The vendor has not responded to disclosure communications.
Technical ContextAI
The vulnerability resides in the justificativas-de-falta endpoint of Portabilis i-Diario, a Brazilian educational management system. The Anexo (attachment) parameter fails to properly sanitize or encode user-supplied input before reflecting it in responses or storing it for later rendering, allowing attackers to inject arbitrary HTML and JavaScript. This is a classic Reflected or Stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The CVSS vector indicates network-accessible exploitation with low complexity, but requires prior authentication (PR:L) and user interaction (UI:P), meaning a victim must click a malicious link or view crafted content.
RemediationAI
No vendor-released patch has been identified at time of analysis, and the vendor has not responded to disclosure communications. Immediate compensating controls are required: (1) Implement strict Content Security Policy (CSP) headers with script-src 'self' to prevent inline script execution, blocking injected XSS payloads even if reflected. This prevents script execution but may break legitimate functionality relying on inline scripts - test thoroughly in staging. (2) Apply input validation on the Anexo parameter at the application layer: accept only alphanumeric characters and specific safe file extensions (e.g., .pdf, .jpg), rejecting anything containing HTML or script tags. Document the whitelist to avoid false positives. (3) Enforce output encoding: all user-supplied data rendered in HTML context must be HTML-entity-encoded (e.g., < becomes <). This requires code-level fixes if the vendor does not patch. (4) Restrict access to i-Diario's justificativas-de-falta functionality to only authorized educational staff, using role-based access control to minimize the authenticated user base that can inject payloads. (5) Monitor access logs for suspicious Anexo parameter values containing script tags or HTML entities. If the vendor releases a patch, upgrade immediately and verify the Anexo parameter is properly sanitized. Escalate requests to the vendor (Portabilis) for an official security update through all available channels.
Share
External POC / Exploit Code
Leaving vuln.today