CVE-2025-10372 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, versions up to 2.10. The vulnerability exists in an unspecified function within the file /intranet/educar_modulo_cad.php, where improper sanitization or validation of the parameters 'nm_tipo' or 'descricao' allows an attacker to inject malicious scripts. This flaw enables remote attackers to execute arbitrary JavaScript code in the context of the victim's browser without requiring authentication, although user interaction is necessary to trigger the payload. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but it does require user interaction. The impact primarily affects the confidentiality and integrity of the user's session and data, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability does not affect system availability and does not require elevated privileges to exploit. Although no public exploit is currently known to be actively used in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The vulnerability affects a broad range of i-Educar versions from 2.0 through 2.10, indicating that many deployments may be vulnerable if not updated or mitigated. i-Educar is an educational management system, so the vulnerability could impact educational institutions using this software for intranet and administrative purposes.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk to the confidentiality and integrity of user data and sessions. Exploitation could lead to unauthorized access to sensitive student or staff information, manipulation of educational records, or unauthorized actions performed within the platform. Given the remote exploitability and public availability of exploit code, attackers could target users via phishing or malicious links to execute scripts in their browsers. This could result in data leakage, credential compromise, or reputational damage to affected institutions. While the vulnerability does not directly impact system availability, the indirect consequences of data breaches or unauthorized access could disrupt educational operations and erode trust in digital services. The medium severity suggests a moderate risk, but the widespread use of the affected versions could amplify the impact if not addressed promptly.

1. Immediate application of patches or updates from Portabilis once available is the most effective mitigation. If patches are not yet released, organizations should implement input validation and output encoding on the affected parameters ('nm_tipo' and 'descricao') to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the i-Educar platform. 3. Educate users about the risks of clicking on suspicious links or inputs that could trigger XSS attacks, emphasizing cautious behavior with links received via email or messaging. 4. Implement web application firewalls (WAF) with rules designed to detect and block common XSS payloads targeting the vulnerable parameters. 5. Regularly audit and monitor web application logs for unusual activities or repeated attempts to inject scripts. 6. Limit user privileges within the platform to reduce the potential impact of compromised accounts. 7. Consider isolating the i-Educar intranet environment or restricting access to trusted networks until the vulnerability is remediated.