Portabilis i-Educar CVE-2025-8369
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.9. This issue affects some unknown processing of the file /intranet/educar_avaliacao_desempenho_lst.php. The manipulation of the argument titulo_avaliacao leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the titulo_avaliacao parameter in /intranet/educar_avaliacao_desempenho_lst.php. The vulnerability requires user interaction (clicking a malicious link) but has a low CVSS score of 2.1 and a minimal EPSS exploitation probability of 0.11%, placing it in the 29th percentile. Publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability is a reflected XSS flaw rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), affecting the PHP-based Portabilis i-Educar educational management system. The file /intranet/educar_avaliacao_desempenho_lst.php processes the titulo_avaliacao parameter without adequate input validation or output encoding, allowing attackers to inject arbitrary JavaScript that executes in victims' browsers within the application context. This is a classic reflected XSS where malicious input is echoed directly into HTML responses without sanitization.
RemediationAI
No vendor-released patch has been identified at time of analysis. Given the vendor's non-response to disclosure, remediation relies on compensating controls. Implement a Web Application Firewall (WAF) rule to block HTTP requests containing script tags or event handlers in the titulo_avaliacao parameter; configure input validation to reject special characters (< > " ' &) in the parameter and require alphanumeric-only input; apply output encoding to all user-controlled variables before rendering in HTML context using PHP htmlspecialchars() or equivalent; restrict access to /intranet/ paths to authenticated users only via .htaccess or reverse proxy rules; consider disabling the affected feature entirely if not critical to operations. If feasible, migrate to a maintained educational platform with active security support, as the vendor's unresponsiveness indicates likely discontinuation of the product.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today