Portabilis i-Educar CVE-2025-8365
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Portabilis i-Educar 2.10. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file atendidos_cad.php. The manipulation of the argument nome/nome_social/email leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in Portabilis i-Educar 2.10 via the atendidos_cad.php file allows authenticated remote attackers with user interaction to inject malicious scripts through the nome, nome_social, or email parameters, resulting in minor integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Technical ContextAI
Portabilis i-Educar is a PHP-based educational management system. The vulnerability exists in the atendidos_cad.php file, which handles student enrollment or attendance data management. The application fails to properly sanitize or encode user-supplied input in the nome (name), nome_social (social name), and email parameters before storing them in the database or reflecting them in subsequent responses. This is a classic stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where untrusted data persists in the application's data store and executes in the context of other users' browsers when retrieved. The CVSS vector indicates this requires login (PR:L) and user interaction (UI:P), limiting the immediate attack surface but still enabling account compromise or lateral privilege escalation once an authenticated foothold is established.
RemediationAI
No vendor-released patch is available at time of analysis, as the vendor did not respond to early disclosure. Immediate compensating controls: (1) Apply input validation and output encoding to the nome, nome_social, and email parameters in atendidos_cad.php before storage and retrieval-use PHP htmlspecialchars() or a templating engine with auto-escaping (e.g., Twig) to prevent script injection; (2) Implement a Web Application Firewall (WAF) rule blocking requests to atendidos_cad.php containing common XSS payloads (e.g., <script>, onerror=, onclick=); (3) Restrict write access to atendidos_cad.php to trusted administrators only and audit database changes; (4) Deploy Content Security Policy (CSP) headers with script-src 'self' to restrict inline script execution and mitigate XSS impact if injection occurs. These mitigations trade operational complexity and potential false positives (WAF) against availability but are necessary until a patch is released. Consider forking the i-Educar repository or engaging community developers to backport fixes if upstream remains unresponsive.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today