Portabilis i-Educar CVE-2025-8367
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic has been found in Portabilis i-Educar 2.9. This affects an unknown part of the file /intranet/funcionario_vinculo_lst.php. The manipulation of the argument nome leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the 'nome' parameter in /intranet/funcionario_vinculo_lst.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and unauthorized administrative actions. Public exploit code is available, though EPSS probability remains low at 0.11% percentile, suggesting limited real-world exploitation despite disclosure.
Technical ContextAI
Portabilis i-Educar is a PHP-based Brazilian educational management system. The vulnerability exists in the employee relationship listing endpoint (funcionario_vinculo_lst.php), where user-supplied input in the 'nome' (name) parameter is reflected into the HTML response without proper encoding or sanitization. This is a classic reflected XSS (CWE-79) where an attacker crafts a malicious URL containing JavaScript payload, which executes in the victim's browser when the link is visited. The CVSS vector indicates network-level attack surface with low complexity and no privilege requirements, but user interaction (UI:P) is mandatory - the victim must click the link for payload delivery.
RemediationAI
No vendor-released patch has been identified at time of analysis, as the vendor did not respond to early disclosure. Immediate mitigations include: (1) Implement input validation and output encoding for the 'nome' parameter in funcionario_vinculo_lst.php using PHP functions such as htmlspecialchars() or htmlentities() with ENT_QUOTES flag to prevent script injection; (2) Apply a Web Application Firewall (WAF) rule to block requests containing script tags or JavaScript event handlers in the nome parameter; (3) Deploy Content Security Policy (CSP) headers to restrict inline script execution and limit script sources to trusted domains only; (4) Educate users to avoid clicking untrusted links to i-Educar administrative interfaces, especially those arriving via email or external communications. Organizations should strongly encourage the Portabilis development team to issue a patched version and consider evaluating alternative educational management systems with active security support if the vendor remains unresponsive.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today