CVE-2025-10605 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, affecting all versions up to and including 2.10. The vulnerability resides in the /agenda_preferencias.php file, specifically in the handling of the 'tipoacao' parameter. Due to insufficient input validation or output encoding, an attacker can inject malicious scripts via this parameter. The vulnerability is remotely exploitable without requiring authentication, and user interaction is necessary to trigger the malicious script execution, typically when a victim views a crafted link or page. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user authentication needed (AT:N). However, user interaction (UI:P) is required to execute the attack. The impact primarily affects the confidentiality and integrity of the user's session or data, with limited impact on availability. The vulnerability does not affect the system's core functionality or availability directly but can be leveraged to steal session cookies, perform actions on behalf of the user, or conduct phishing attacks within the context of the i-Educar platform. No public exploit is currently known to be actively exploited in the wild, but proof-of-concept code has been released publicly, increasing the risk of exploitation. The lack of available patches or updates at the time of publication suggests that affected organizations must implement interim mitigations promptly.

For European organizations using Portabilis i-Educar, particularly educational institutions, this vulnerability poses a risk to the confidentiality and integrity of user data, including potentially sensitive student and staff information. Successful exploitation could allow attackers to hijack user sessions, impersonate users, or inject malicious content, potentially leading to data leakage or unauthorized actions within the platform. Given that i-Educar is an education management system, the impact could extend to disruption of educational services, erosion of trust, and compliance risks under GDPR due to exposure of personal data. While the vulnerability does not directly compromise system availability, the indirect consequences of phishing or session hijacking could lead to operational disruptions. The medium severity rating reflects the balance between ease of exploitation and the limited scope of impact, but the public availability of exploit code increases urgency for mitigation. European organizations are advised to assess their exposure and prioritize remediation to protect sensitive educational data and maintain service integrity.

1. Immediate implementation of input validation and output encoding on the 'tipoacao' parameter within /agenda_preferencias.php to neutralize malicious scripts. 2. Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameter. 3. Educate users to recognize and avoid clicking on suspicious links or content within the i-Educar platform until a patch is available. 4. Monitor logs for unusual activity or repeated access attempts to the vulnerable endpoint to detect potential exploitation attempts. 5. Coordinate with Portabilis for timely updates or patches and apply them as soon as they are released. 6. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 7. Conduct regular security assessments and penetration testing focused on input handling in the i-Educar environment to identify similar vulnerabilities. These measures go beyond generic advice by focusing on immediate protective controls and user awareness tailored to the specific vulnerability context.