CVE-2025-10584 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, affecting versions 2.0 through 2.10. The vulnerability resides in an unspecified function within the file /intranet/educar_calendario_anotacao_cad.php, specifically involving the manipulation of the nm_anotacao/descricao parameter. This parameter is insufficiently sanitized, allowing an attacker to inject malicious scripts that execute in the context of the victim's browser. The vulnerability can be exploited remotely without authentication, though it requires user interaction (e.g., a user visiting a crafted URL or interacting with a malicious payload). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector details highlight that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L, which is low but not none), and user interaction is necessary (UI:P). The vulnerability impacts the confidentiality and integrity of the affected system to a limited extent, as the XSS could be used to steal session cookies, perform actions on behalf of the user, or deliver further payloads. No known exploits are currently active in the wild, but public exploit code is available, increasing the risk of exploitation. The lack of available patches or official remediation guidance at the time of publication suggests that affected organizations must implement interim mitigations promptly. Given that i-Educar is an educational management system, the vulnerability could impact the confidentiality of student and staff data and the integrity of educational records if exploited.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk to the confidentiality and integrity of sensitive educational data. Exploitation could lead to session hijacking, unauthorized actions within the platform, or delivery of malicious payloads to users, potentially causing reputational damage and regulatory compliance issues under GDPR due to exposure of personal data. The remote exploitability and public availability of exploit code increase the likelihood of attacks, especially targeting users with elevated privileges such as administrators or teachers. Disruption of educational services could also occur if attackers leverage the vulnerability to inject disruptive scripts. While the vulnerability does not directly affect availability, the indirect consequences of exploitation could impact operational continuity. European educational institutions often have stringent data protection requirements, so even medium-severity vulnerabilities warrant prompt attention.

1. Immediate mitigation should include implementing strict input validation and output encoding on the nm_anotacao/descricao parameter to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context. 3. Restrict user privileges to the minimum necessary, especially for users who can input data into the vulnerable parameter. 4. Monitor web server logs for suspicious requests targeting /intranet/educar_calendario_anotacao_cad.php and unusual user activity indicative of exploitation attempts. 5. Educate users about the risks of clicking on untrusted links and encourage cautious behavior. 6. Engage with the vendor Portabilis for official patches or updates and apply them promptly once available. 7. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this vulnerability. 8. Conduct regular security assessments and penetration testing focusing on input validation and XSS vectors within the i-Educar platform.