CVE-2025-10591 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, specifically affecting versions 2.0 through 2.10. The vulnerability resides in the /intranet/educar_funcao_cad.php file within the Editar Função Page component. It arises from improper sanitization or validation of user-supplied input in the 'abreviatura' or 'tipoacao' parameters, allowing an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although it does require some user interaction to trigger the malicious script execution. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector details specify that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and user interaction needed (UI:P). The impact primarily affects confidentiality and integrity at a low level, with no impact on availability or system confidentiality. The vulnerability does not require special conditions such as scope change or security controls bypass. Although no public exploit in the wild has been reported yet, proof-of-concept code has been made publicly available, increasing the risk of exploitation. The vulnerability is significant because i-Educar is an educational management system widely used by schools and educational institutions to manage student data, academic records, and administrative functions. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the application.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk to the confidentiality and integrity of user data and session information. Exploitation could lead to unauthorized access to sensitive student and staff information, manipulation of academic records, or disruption of administrative processes. Given the remote exploitability and public availability of exploit code, attackers could target vulnerable installations to conduct phishing, credential theft, or lateral movement within the network. The impact is heightened in Europe due to strict data protection regulations such as GDPR, where unauthorized data access or leakage could result in significant legal and financial penalties. Additionally, the educational sector is increasingly targeted by cybercriminals for espionage or disruption, making this vulnerability a potential vector for broader attacks. The medium severity rating suggests that while the vulnerability is not critical, it should be addressed promptly to prevent exploitation and maintain trust in educational digital services.

To mitigate this vulnerability, European organizations using i-Educar should prioritize the following actions: 1) Apply patches or updates from Portabilis as soon as they become available. Since no patch links are currently provided, organizations should monitor vendor communications closely. 2) Implement web application firewalls (WAFs) with rules specifically designed to detect and block XSS payloads targeting the vulnerable parameters ('abreviatura' and 'tipoacao'). 3) Conduct input validation and sanitization on all user inputs at the application level, ensuring that special characters and scripts are properly escaped or removed. 4) Educate users and administrators about the risks of XSS attacks and encourage cautious behavior when interacting with links or inputs within the i-Educar platform. 5) Restrict access to the intranet and administrative pages to trusted networks and authenticated users only, reducing exposure to remote attackers. 6) Monitor logs and network traffic for unusual activity that could indicate exploitation attempts. 7) Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application context. These measures, combined, will reduce the attack surface and limit the potential impact of this vulnerability.