CVE-2025-10590 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, affecting all versions up to and including 2.10. The vulnerability resides in an unspecified function within the file /intranet/educar_usuario_det.php, where improper handling of the 'ref_pessoa' parameter allows an attacker to inject malicious scripts. This flaw can be exploited remotely without any authentication or privileges, requiring only user interaction to trigger the malicious payload. The vulnerability is classified as reflected XSS, where the injected script is reflected off the web server in the response to a crafted request. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, and user interaction needed. The impact primarily affects the integrity and confidentiality of user sessions and data, as attackers can execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Although no public exploit is currently known to be actively exploited in the wild, the exploit code has been publicly released, increasing the risk of exploitation. The vulnerability affects the intranet module of i-Educar, a widely used open-source educational management system, which is deployed in various educational institutions. The lack of an official patch or mitigation guidance in the provided data indicates that organizations must proactively implement protective measures to reduce exposure.

For European organizations using Portabilis i-Educar, particularly educational institutions and administrative bodies, this vulnerability poses a moderate risk. Successful exploitation could compromise user accounts, including those of students, teachers, and administrators, potentially leading to unauthorized access to sensitive educational records and personal data. The XSS flaw could also be leveraged for phishing attacks or to spread malware within the institution's network. Given the remote and unauthenticated nature of the attack, any exposed i-Educar intranet portals accessible over the internet or poorly segmented internal networks are at risk. The impact on confidentiality and integrity of data is significant, though availability is not directly affected. The medium severity rating suggests that while the threat is not critical, it warrants timely remediation to prevent exploitation, especially considering the public availability of exploit code. European data protection regulations such as GDPR impose strict requirements on protecting personal data, so exploitation could also lead to regulatory and reputational consequences.

To mitigate this vulnerability, European organizations should first verify if they are running affected versions (2.0 through 2.10) of Portabilis i-Educar and prioritize upgrading to a patched version once available. In the absence of an official patch, organizations should implement input validation and output encoding on the 'ref_pessoa' parameter to neutralize malicious scripts. Web application firewalls (WAFs) can be configured with custom rules to detect and block typical XSS payloads targeting this parameter. Restricting access to the intranet module through network segmentation and VPNs can reduce exposure to external attackers. Additionally, enforcing Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting the sources from which scripts can be loaded. User awareness training to recognize phishing attempts and suspicious links can further reduce the risk of successful exploitation. Continuous monitoring of web server logs for unusual requests targeting 'educar_usuario_det.php' should be implemented to detect exploitation attempts early.