CVE-2025-7109 is a cross-site scripting (XSS) vulnerability identified in version 2.9.0 of Portabilis i-Educar, an educational management system. The vulnerability exists in the Student Benefits Registration component, specifically within the /intranet/educar_aluno_beneficio_lst.php file. The issue arises from improper sanitization or validation of the 'Benefício' parameter, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is exploitable remotely without requiring authentication, although it requires some level of user interaction (e.g., a victim clicking a crafted link). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required. The impact primarily affects confidentiality and integrity to a limited extent, as the vulnerability can lead to the execution of arbitrary scripts in the context of the victim's browser session, potentially enabling session hijacking, credential theft, or unauthorized actions on behalf of the user. The vendor was notified but has not responded or issued a patch, and public exploit details have been disclosed, increasing the risk of exploitation. The vulnerability does not affect availability and does not require special conditions such as user authentication, but it does require user interaction to trigger the malicious payload.

For European organizations, especially educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to sensitive student data and administrative functions. Exploitation could lead to session hijacking, theft of personal information, or manipulation of student benefit records, undermining data integrity and privacy compliance obligations under GDPR. The public disclosure and lack of vendor response increase the likelihood of exploitation attempts. Institutions relying on this software may face reputational damage, regulatory penalties, and operational disruptions if attackers leverage this vulnerability to compromise user accounts or inject malicious content into their intranet portals. The impact is particularly significant in environments where users have elevated privileges or where the affected component is widely used for managing sensitive student benefits data.

Organizations should implement input validation and output encoding on the 'Benefício' parameter to prevent script injection. Since no official patch is available, immediate mitigations include deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the vulnerable parameter. Administrators should restrict access to the affected intranet pages to trusted users and networks, and enforce strict Content Security Policy (CSP) headers to limit script execution. User awareness training to recognize phishing or suspicious links can reduce the risk of successful exploitation. Monitoring logs for unusual requests to /intranet/educar_aluno_beneficio_lst.php and anomalous user behavior can help detect exploitation attempts. Organizations should also engage with the vendor for updates and consider alternative software solutions if remediation is delayed.