Portabilis i-Educar CVE-2025-8346
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.10. Affected by this issue is some unknown functionality of the file /educar_aluno_lst.php. The manipulation of the argument ref_cod_matricula with the input "><img%20src=x%20onerror=alert(%27CVE-Hunters%27)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.10 allows remote unauthenticated attackers to inject arbitrary JavaScript via the ref_cod_matricula parameter in /educar_aluno_lst.php, affecting users who click malicious links. The vulnerability has publicly available exploit code and a low CVSS score (2.1) due to requirement for user interaction, but represents a typical web application flaw in educational management systems with potential for credential theft or session hijacking.
Technical ContextAI
The vulnerability exists in a PHP-based educational management system where user input from the ref_cod_matricula HTTP parameter is reflected in the response without proper HTML encoding or input validation. This is a classic reflected XSS scenario (CWE-79) where the web application fails to sanitize or escape special characters before rendering them in the HTML output. The attack vector demonstrates this by injecting an IMG tag with an onerror event handler that executes JavaScript. The vulnerable endpoint /educar_aluno_lst.php appears to be a student roster listing page that accepts query parameters but does not perform contextual output encoding, allowing attacker-controlled HTML and event handlers to be rendered in the user's browser.
RemediationAI
No vendor-released patch has been identified at time of analysis. Given the vendor's non-responsiveness documented in the disclosure, organizations using i-Educar 2.10 should implement immediate compensating controls: apply Web Application Firewall (WAF) rules to block requests containing ><img, onerror, and other XSS payloads in the ref_cod_matricula parameter; implement output encoding in the application code by HTML-escaping all user input before rendering (replace <, >, ", & with HTML entities); and enforce Content Security Policy (CSP) headers to restrict inline script execution. If internal resources allow, conduct a code review of /educar_aluno_lst.php and similar parameter-handling endpoints to identify and patch all reflection points. Consider upgrading to a newer version if available from Portabilis, or evaluating alternative educational management systems if the vendor cannot provide security updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today