CVE-2025-10373 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, affecting all versions up to 2.10. The vulnerability resides in an unspecified function within the file /intranet/educar_turma_tipo_cad.php, specifically involving the manipulation of the 'nm_tipo' argument. An attacker can exploit this flaw by injecting malicious scripts remotely, without requiring authentication, although user interaction is necessary to trigger the payload. The vulnerability is classified as reflected or stored XSS, allowing attackers to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited impact on integrity and availability. No known exploits are currently observed in the wild, but public disclosure increases the risk of exploitation. The vulnerability affects educational institutions and organizations using i-Educar for intranet-based management of school classes and types, potentially exposing sensitive educational data and user credentials.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a moderate risk. Successful exploitation could lead to unauthorized access to user sessions, data leakage, and potential manipulation of educational records or administrative functions. Given that i-Educar is an education management system, compromised accounts could disrupt school operations, expose personal data of students and staff, and damage institutional reputation. The remote exploitability without authentication increases the attack surface, especially in environments where the intranet is accessible or insufficiently segmented. The requirement for user interaction means phishing or social engineering could be leveraged to trigger the attack. The impact on confidentiality and integrity is moderate, while availability impact is minimal. European data protection regulations such as GDPR impose strict requirements on protecting personal data, so exploitation could also lead to regulatory penalties and compliance issues.

Organizations should immediately assess their use of Portabilis i-Educar versions up to 2.10 and plan for an upgrade or patch as soon as one becomes available from the vendor. In the absence of an official patch, implement input validation and output encoding on the 'nm_tipo' parameter to neutralize malicious scripts. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this parameter. Educate users about the risks of clicking on untrusted links or interacting with unexpected content within the intranet. Network segmentation should be enforced to restrict access to the intranet hosting i-Educar, limiting exposure to external threats. Regularly monitor logs for unusual activity related to the vulnerable endpoint. Finally, conduct security testing and code reviews on customizations or integrations involving i-Educar to identify and remediate similar injection flaws.