CVE-2025-10099 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, specifically affecting versions 2.0 through 2.10. The vulnerability resides in the /intranet/educar_usuario_cad.php file within the Editar usuário (Edit User) page component. It arises from improper sanitization or validation of user-supplied input parameters such as email, data_inicial (start date), and data_expiracao (expiration date). An attacker can remotely exploit this flaw by injecting malicious scripts into these parameters, which are then executed in the context of a victim's browser when viewing the affected page. This type of vulnerability enables attackers to perform actions such as session hijacking, credential theft, or delivering malicious payloads to users with elevated privileges. The CVSS 4.0 score of 4.8 classifies this as a medium severity vulnerability, reflecting that while the attack vector is network-based and requires no privileges, it does require user interaction and some level of authentication (PR:H). The vulnerability does not impact confidentiality or availability significantly but poses a risk to integrity and user trust. No patches or mitigations have been officially published yet, and although no known exploits are currently in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. Given that i-Educar is an educational management system, the vulnerability could affect administrative users managing student and staff data, potentially leading to unauthorized actions or data manipulation via XSS attacks.

For European organizations, especially educational institutions using Portabilis i-Educar, this vulnerability could lead to unauthorized script execution in administrative interfaces. This may result in session hijacking of administrative users, unauthorized changes to user data, or the spread of malware within the institution's network. The impact extends to potential reputational damage and compliance risks under GDPR if personal data is compromised or manipulated. Since the vulnerability requires authentication and user interaction, the risk is somewhat mitigated but remains significant in environments where multiple users have elevated privileges and may be targeted via phishing or social engineering. The presence of publicly available exploit code increases the likelihood of opportunistic attacks. Educational institutions often have interconnected systems and sensitive personal data, making containment and remediation critical to prevent lateral movement or broader compromise.

Organizations should immediately review and restrict access to the Editar usuário page to only trusted administrative users. Implement strict input validation and output encoding on all user-supplied parameters, particularly email, data_inicial, and data_expiracao fields, to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor logs for unusual activity related to these parameters and user sessions. Since no official patch is currently available, consider deploying Web Application Firewalls (WAF) with custom rules to detect and block XSS payloads targeting the vulnerable endpoints. Educate administrative users about phishing risks and the importance of cautious interaction with links or inputs that could trigger the vulnerability. Plan for rapid deployment of vendor patches once released and conduct thorough testing in staging environments before production rollout.