CVE-2025-10074 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, affecting all versions up to 2.10. The vulnerability exists in an unspecified function within the /usuarios/tipos/ file, where improper sanitization or validation of the 'Tipos de Usuário/Descrição' parameter allows an attacker to inject malicious scripts. This flaw enables remote attackers to execute arbitrary JavaScript in the context of the victim's browser without requiring authentication, although user interaction is necessary to trigger the payload. The CVSS 4.0 score of 5.1 classifies this as a medium severity issue, reflecting the moderate impact on confidentiality and integrity, with low impact on availability. The attack vector is network-based with low complexity, and no privileges are required to exploit it. The vulnerability does not affect the system's confidentiality or availability significantly but can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user due to the integrity compromise of the web session. Although no known exploits are currently active in the wild, publicly available exploit code increases the risk of exploitation. The lack of a patch link suggests that a fix may not yet be publicly released, emphasizing the need for immediate mitigation steps. Given that i-Educar is an educational management system, the vulnerability could impact sensitive educational data and user accounts within school or educational institution environments.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to user sessions and potential data manipulation. The XSS flaw could be exploited to steal credentials of teachers, students, or administrators, leading to unauthorized access to personal data, academic records, or administrative controls. This could result in privacy violations under GDPR, reputational damage, and disruption of educational services. The medium severity indicates that while the vulnerability is not critical, it still presents a tangible threat, especially in environments where users may be less security-aware, such as schools. The remote exploitation capability without authentication increases the risk of widespread attacks if the platform is publicly accessible. Additionally, the presence of publicly available exploits could lead to opportunistic attacks targeting European educational institutions, which may have limited cybersecurity resources to detect or respond promptly.

Organizations should immediately implement input validation and output encoding on the affected parameters to prevent script injection. Until an official patch is released, deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the /usuarios/tipos/ endpoint is recommended. Administrators should audit and restrict user permissions to minimize the impact of compromised accounts. Regularly monitoring web logs for suspicious activity related to this endpoint can help detect exploitation attempts. User education on phishing and suspicious links is crucial to reduce the risk of successful XSS exploitation. If possible, isolate the i-Educar platform behind VPN or internal networks to limit exposure. Organizations should also engage with Portabilis for timely updates and patches and plan for prompt deployment once available. Implementing Content Security Policy (CSP) headers can further mitigate the impact of XSS by restricting the execution of unauthorized scripts.