Portabilis i-Educar CVE-2025-8368
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic was found in Portabilis i-Educar 2.9. This vulnerability affects unknown code of the file /intranet/pesquisa_pessoa_lst.php. The manipulation of the argument campo_busca/cpf leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting in Portabilis i-Educar 2.9 allows remote attackers to inject arbitrary JavaScript via the campo_busca and cpf parameters in /intranet/pesquisa_pessoa_lst.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, or defacement of educational records. Publicly available exploit code exists; the vendor did not respond to disclosure.
Technical ContextAI
The vulnerability resides in a PHP-based educational management system where user input from HTTP GET/POST parameters is reflected directly into the HTML response without proper sanitization or encoding. The campo_busca and cpf parameters in the pesquisa_pessoa_lst.php script fail to apply contextual output encoding (e.g., htmlspecialchars or equivalent) before rendering search results. This is a classic reflected XSS flaw (CWE-79) in a server-side templating context where untrusted data flows from HTTP request to HTTP response without validation or encoding layers.
RemediationAI
No vendor-released patch has been identified at the time of analysis; the vendor did not respond to disclosure. Immediate workarounds include: (1) Apply input validation and output encoding to the campo_busca and cpf parameters in pesquisa_pessoa_lst.php by using htmlspecialchars() or a templating engine with auto-escaping before rendering user input in HTML context; (2) Deploy a Web Application Firewall (WAF) rule to block requests containing <script>, javascript:, or event handlers (onerror=, onclick=, etc.) in the campo_busca and cpf parameters; (3) Restrict access to the /intranet module via network-level controls (IP whitelisting, VPN requirement) if the search function is not critical for all users; (4) Implement Content Security Policy (CSP) headers to restrict inline script execution (trade-off: may require refactoring of legitimate inline scripts). Organizations should contact Portabilis directly to request a patched version or end-of-life timeline. If no response is received, consider evaluating alternative open-source or commercial educational management systems with active security maintenance.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today