CVE-2025-7113 is a cross-site scripting (XSS) vulnerability identified in version 2.9.0 of the Portabilis i-Educar platform, specifically within the Curricular Components Module at the endpoint /module/ComponenteCurricular/edit?id=ID. The vulnerability arises from improper sanitization or validation of the 'Nome' parameter, which an attacker can manipulate to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript code in the context of the victim's browser without requiring authentication, though user interaction is necessary (e.g., clicking a crafted link). The vulnerability is classified as problematic with a CVSS 4.0 base score of 5.1 (medium severity), reflecting its moderate impact and ease of exploitation. The vendor has been notified but has not responded or issued a patch, and while no known exploits are currently in the wild, public disclosure of the exploit code increases the risk of exploitation. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Availability impact is limited. The lack of vendor response and patch availability increases the urgency for affected organizations to implement mitigations.

For European organizations using Portabilis i-Educar 2.9.0, particularly educational institutions, this vulnerability poses a tangible risk to user data confidentiality and system integrity. Exploitation could lead to theft of user credentials, session tokens, or unauthorized actions within the platform, potentially compromising sensitive student or staff information. Given the platform's role in managing curricular components, attackers might manipulate educational data or disrupt administrative workflows. The medium severity rating indicates moderate risk, but the public availability of exploit details and absence of vendor patches elevate the threat level. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the organization's network. The impact is more pronounced in environments where users have elevated privileges or where the platform integrates with other critical systems. European data protection regulations such as GDPR impose strict requirements on protecting personal data, so exploitation could also result in regulatory penalties and reputational damage.

Since no official patch is available, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and output encoding on the 'Nome' parameter at the web application firewall (WAF) or reverse proxy level to block malicious payloads. 2) Enforcing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 3) Conducting user awareness training to recognize and avoid suspicious links or phishing attempts that could trigger XSS attacks. 4) Limiting user privileges within i-Educar to the minimum necessary to reduce potential damage from compromised accounts. 5) Monitoring web server and application logs for unusual activity or repeated attempts to exploit the vulnerability. 6) Segregating the i-Educar system network segment to contain potential breaches. 7) Engaging with Portabilis for updates and tracking any future patches or advisories. 8) Considering temporary disabling or restricting access to the vulnerable module if feasible until a fix is available.