CVE-2025-10372 is a cross-site scripting vulnerability identified in the Portabilis i-Educar platform, a widely used open-source educational management system. The vulnerability resides in the /intranet/educar_modulo_cad.php file, specifically in the handling of the nm_tipo/descricao parameter. This parameter is improperly sanitized, allowing attackers to inject malicious JavaScript code. The attack vector is remote and does not require authentication, but successful exploitation depends on user interaction, such as clicking a maliciously crafted URL. The vulnerability can be exploited to execute arbitrary scripts in the context of the victim's browser session, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions within the application. The CVSS 4.0 base score is 5.1, reflecting medium severity due to the lack of required privileges but presence of user interaction. Although no active exploits have been reported in the wild, a proof-of-concept exploit has been publicly disclosed, increasing the risk of exploitation. The vulnerability affects all versions up to 2.10, indicating that organizations running older versions are at risk. The lack of vendor patches at the time of publication necessitates immediate mitigation efforts to reduce exposure.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to user sessions and sensitive educational data. Exploitation could lead to compromised user credentials, unauthorized data manipulation, and potential disruption of educational services. The impact extends to data confidentiality and integrity, as attackers may steal personal information or alter records. Given the remote exploitability without authentication, attackers can target users via phishing or malicious links, increasing the attack surface. The medium severity suggests moderate risk, but the presence of a public exploit heightens urgency. Disruption in educational environments could affect operational continuity and trust. Additionally, compliance with GDPR mandates protection of personal data, and exploitation could lead to regulatory penalties. Therefore, European organizations must assess their exposure and implement mitigations promptly to avoid reputational and legal consequences.

Organizations should immediately inventory their deployments of Portabilis i-Educar to identify affected versions up to 2.10. Although no official patches are currently listed, monitoring vendor communications for updates is critical. In the interim, implement strict input validation and output encoding on the nm_tipo/descricao parameter to neutralize malicious scripts. Deploy Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Educate users about phishing risks and the dangers of clicking unknown links. Employ web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable parameter. Regularly audit logs for suspicious activity related to the intranet module. Consider isolating the affected module or restricting access to trusted users until a patch is available. Finally, establish incident response plans to quickly address any exploitation attempts.