Portabilis i-Diario CVE-2025-7872
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Portabilis i-Diario 1.5.0 and classified as problematic. This issue affects some unknown processing of the file /justificativas-de-falta. The manipulation of the argument Justificativa leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in Portabilis i-Diario 1.5.0 allows authenticated users to inject malicious scripts via the Justificativa parameter in the /justificativas-de-falta endpoint, which are then executed in the browsers of other users viewing the page. The vulnerability requires user interaction (clicking a malicious link) and authenticated access, limiting its severity despite public exploit availability. EPSS exploitation probability is very low at 0.05 percentile, and the vendor has not responded to disclosure.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in the Portabilis i-Diario educational management system version 1.5.0. The application fails to properly sanitize or encode user-supplied input in the 'Justificativa' parameter when processing requests to the /justificativas-de-falta endpoint. This endpoint appears to handle absence (falta) justification records, a common feature in educational software. Because the unsanitized input is likely persisted or reflected in subsequent responses without HTML entity encoding or Content Security Policy protections, an authenticated attacker can inject arbitrary JavaScript code that executes in victim browsers. The CVSS 4.0 vector indicates network accessibility (AV:N), low attack complexity (AC:L), but crucially requires both login credentials (PR:L) and user interaction (UI:P), which significantly reduces real-world exploitability.
RemediationAI
No vendor-released patch has been identified at the time of analysis. Organizations should apply input validation and output encoding immediately through code modification or Web Application Firewall (WAF) rules to sanitize the Justificativa parameter using HTML entity encoding (e.g., encoding '<' to '<', '>' to '>'). Implement a Content Security Policy (CSP) header with script-src 'self' to restrict script execution to same-origin sources only, mitigating the impact of injected scripts. As a temporary compensating control, disable or restrict access to the /justificativas-de-falta endpoint to administrators only, or require additional authentication steps before allowing users to view or create justifications. Contact Portabilis directly through their support channels to request a patched version or security advisory. If still using i-Diario 1.5.0, plan an upgrade to a newer release when available, and validate that patch notes include XSS remediation.
Share
External POC / Exploit Code
Leaving vuln.today