Portabilis i-Educar CVE-2025-8370
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in Portabilis i-Educar 2.9. Affected is an unknown function of the file /intranet/educar_escolaridade_lst.php. The manipulation of the argument descricao leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the descricao parameter in /intranet/educar_escolaridade_lst.php, requiring user interaction to execute. The vulnerability has a low CVSS score of 2.1 and EPSS exploitation probability of 0.11%, but publicly available exploit code exists and the vendor did not respond to early disclosure.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in a PHP-based educational management system. The vulnerability exists in the educar_escolaridade_lst.php endpoint, which fails to properly sanitize or validate the descricao parameter before reflecting it in HTTP responses. The attack vector is network-based with no special access requirements, making it remotely exploitable. As a reflected XSS flaw, the payload must be delivered through a crafted URL or form submission, and the user must interact with the malicious link for the script to execute in their browser context.
RemediationAI
No vendor-released patch identified at time of analysis, and the vendor did not respond to early disclosure. Immediate mitigation requires input validation and output encoding: implement strict server-side validation of the descricao parameter to reject or sanitize special HTML characters (< > " ' &), and apply HTML entity encoding to all reflected output in educar_escolaridade_lst.php responses. Additionally, implement Content Security Policy (CSP) headers with script-src 'self' to prevent inline script execution from reflected payloads. For organizations unable to patch immediately, restrict access to the /intranet/ directory to authenticated users via reverse proxy or network ACLs, and educate users not to click untrusted links to i-Educar. Upgrade to a newer version if available from Portabilis, as version information beyond 2.9.0 was not provided in available data.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today