CVE-2025-7112 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Educar version 2.9.0, specifically within the Function Management Module. The vulnerability arises from improper handling of the 'Função' parameter in the file /intranet/educar_funcao_det.php, where user-supplied input is not adequately sanitized or encoded before being reflected in the web application’s response. This flaw allows an attacker to inject malicious scripts that execute in the context of the victim’s browser session. The vulnerability can be exploited remotely without authentication, requiring only that the attacker craft a specially crafted URL containing the malicious payload in the 'Função' parameter. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction is necessary (victim must click the malicious link). The impact primarily affects confidentiality and integrity at a low level, with limited impact on availability. The vendor has been notified but has not responded, and no official patch or mitigation guidance is currently available. Although no known exploits are reported in the wild, public disclosure of the vulnerability and exploit details increases the risk of exploitation, especially in environments where i-Educar is used without additional protective controls.

For European organizations, especially educational institutions using Portabilis i-Educar, this vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed on behalf of users. Given that i-Educar is an education management system, exploitation could lead to exposure of sensitive student and staff information, manipulation of educational records, or disruption of administrative functions. The requirement for user interaction (clicking a malicious link) means phishing campaigns could be an effective attack vector. The medium severity indicates moderate risk, but the lack of vendor response and patch availability increases exposure time. Organizations relying on i-Educar for critical educational operations may face reputational damage and compliance issues under GDPR if personal data is compromised.

Since no official patch is available, European organizations should implement immediate compensating controls. These include: 1) Employing web application firewalls (WAFs) with custom rules to detect and block malicious input patterns targeting the 'Função' parameter. 2) Conducting user awareness training focused on phishing and social engineering to reduce the likelihood of users clicking malicious links. 3) Implementing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 4) Restricting access to the intranet module to trusted networks or VPNs to limit exposure. 5) Monitoring web server logs for suspicious requests containing script tags or unusual parameter values. 6) Planning for an upgrade or patch deployment once the vendor releases a fix or considering alternative software solutions if remediation is delayed. Additionally, organizations should review and harden session management to mitigate session hijacking risks.