CVE-2025-10606 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, specifically affecting versions 2.0 through 2.10. The vulnerability arises from improper handling of the 'tipoacao' parameter within the /module/Configuracao/ConfiguracaoMovimentoGeral endpoint. This improper input validation allows an attacker to inject malicious scripts that execute in the context of the victim's browser. The vulnerability is remotely exploitable without requiring authentication, and user interaction is necessary for the attack to succeed (e.g., a user clicking a crafted link). The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user authentication needed (AT:N). However, user interaction is required (UI:P). The impact primarily affects the confidentiality and integrity of the victim's session or data accessible via the browser, with limited impact on availability. The vulnerability does not affect system components beyond the web interface and does not require special conditions such as elevated privileges or complex exploitation techniques. Although no public exploits have been observed in the wild, proof-of-concept code has been made publicly available, increasing the risk of exploitation.

For European organizations, especially educational institutions or government bodies using Portabilis i-Educar, this vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. Since i-Educar is an education management system, compromised accounts could lead to unauthorized access to sensitive student data, manipulation of academic records, or disruption of administrative processes. The XSS vulnerability could also be leveraged as a foothold for further attacks, including phishing campaigns targeting staff or students. The medium severity rating suggests that while the threat is not critical, it still represents a significant risk, particularly in environments where sensitive personal data is processed. The lack of authentication requirement increases the attack surface, as any remote attacker can attempt exploitation. European data protection regulations such as GDPR impose strict requirements on protecting personal data, so exploitation of this vulnerability could lead to compliance violations and reputational damage.

Organizations should prioritize updating or patching the affected i-Educar versions to a fixed release once available from Portabilis. In the absence of an official patch, immediate mitigations include implementing robust input validation and output encoding on the 'tipoacao' parameter to prevent script injection. Web Application Firewalls (WAFs) can be configured to detect and block suspicious payloads targeting this endpoint. Additionally, security awareness training for users can reduce the risk of successful exploitation by educating them not to click on untrusted links. Monitoring web server logs for unusual requests to /module/Configuracao/ConfiguracaoMovimentoGeral and anomalous user behavior can help detect exploitation attempts. Organizations should also review and tighten Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Finally, conducting regular security assessments and penetration tests on the i-Educar deployment can help identify and remediate similar vulnerabilities proactively.