CVE-2025-10584 is a cross-site scripting vulnerability identified in the Portabilis i-Educar platform, specifically affecting versions 2.0 through 2.10. The vulnerability resides in the /intranet/educar_calendario_anotacao_cad.php file, where the parameters nm_anotacao and descricao are not properly sanitized or encoded before being reflected in the web page output. This improper handling allows an attacker to inject malicious JavaScript code remotely without requiring authentication. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), but user interaction is necessary (UI:P). The vulnerability impacts the integrity and confidentiality of the victim’s session by enabling script execution in their browser context, potentially leading to session hijacking, credential theft, or phishing. Although no active exploitation has been reported, a public exploit exists, increasing the likelihood of exploitation. The vulnerability does not affect availability and does not propagate beyond the vulnerable system. The CVSS 4.0 base score is 5.1, reflecting a medium severity level. The vulnerability is particularly concerning for educational institutions using i-Educar, as it could compromise sensitive student and staff information or disrupt educational operations. The lack of official patches at the time of publication necessitates immediate mitigation efforts by administrators.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk to the confidentiality and integrity of user data. Successful exploitation could allow attackers to execute malicious scripts in the browsers of educators, students, or administrators, potentially leading to session hijacking, theft of credentials, or unauthorized actions within the platform. This could result in unauthorized access to sensitive educational records, manipulation of academic data, or phishing campaigns targeting users. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. The medium severity score indicates moderate risk, but the presence of a public exploit and the remote attack vector increase the urgency of addressing this vulnerability. European organizations relying on i-Educar for educational management should consider the threat serious enough to warrant immediate action to prevent exploitation.

1. Implement strict input validation and output encoding on the nm_anotacao and descricao parameters to prevent injection of malicious scripts. 2. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context. 3. Restrict access to the vulnerable /intranet/educar_calendario_anotacao_cad.php endpoint to trusted users or networks where possible. 4. Monitor web application logs for suspicious input patterns indicative of XSS attempts. 5. Educate users about the risks of clicking on unsolicited links and encourage the use of updated browsers with built-in XSS protections. 6. Engage with Portabilis for official patches or updates and apply them promptly once available. 7. Consider deploying Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this vulnerability. 8. Conduct regular security assessments and code reviews of the i-Educar deployment to identify and remediate similar vulnerabilities proactively.