CVE-2025-10074 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Educar versions up to 2.10. The vulnerability resides in an unspecified function within the /usuarios/tipos/ file, where improper sanitization or validation of the 'Tipos de Usuário/Descrição' parameter allows an attacker to inject malicious scripts. This flaw can be exploited remotely without authentication, requiring only user interaction to trigger the malicious payload. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and user interaction needed (UI:P). The impact primarily affects the integrity of the victim's browser session with limited confidentiality and availability impact. The vulnerability does not affect the confidentiality or availability of the underlying system but can lead to session hijacking, defacement, or redirection to malicious sites. Although no public exploits are currently known in the wild, proof-of-concept code is available, increasing the risk of exploitation. The vulnerability is relevant for educational institutions and organizations using the i-Educar platform, which is an open-source school management system widely used in Brazil and some other countries. The lack of a patch link suggests that remediation may require manual mitigation or vendor updates that are pending or not yet published.

For European organizations, the impact of this XSS vulnerability depends on the adoption of Portabilis i-Educar within educational institutions or related entities. If deployed, exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, unauthorized actions, or phishing attacks targeting students, teachers, or administrators. This could result in data leakage, reputational damage, and disruption of educational services. While the direct impact on critical infrastructure is limited, the compromise of educational platforms can have cascading effects on data privacy compliance under GDPR and trust in digital education services. The medium severity score reflects the moderate risk, but the ease of remote exploitation and public availability of exploit code increase the urgency for mitigation. European organizations using i-Educar should be particularly vigilant to prevent exploitation that could affect user data integrity and privacy.

Specific mitigation steps include: 1) Immediate review and sanitization of all user-supplied input fields related to 'Tipos de Usuário/Descrição' to ensure proper encoding and validation against XSS payloads. 2) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Apply any vendor-provided patches or updates as soon as they become available. 4) Conduct thorough security testing of the i-Educar deployment, focusing on input validation and output encoding. 5) Educate users about the risks of clicking on suspicious links or executing unexpected scripts within the platform. 6) Monitor web application logs for unusual input patterns or repeated attempts to exploit the vulnerability. 7) If patching is delayed, consider deploying Web Application Firewalls (WAFs) with rules targeting known XSS attack vectors specific to this vulnerability. These steps go beyond generic advice by focusing on the specific vulnerable parameter and leveraging layered defenses to reduce risk.