A vulnerability was found in Portabilis i-Educar 2.9.0. It has been rated as problematic. This issue affects some unknown processing of the file /intranet/educar_deficiencia_lst.php of the component Disabilities Module. The manipulation of the argument Deficiência ou Transtorno leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-7866 is a cross-site scripting (XSS) vulnerability identified in version 2.9.0 of Portabilis i-Educar, an educational management system widely used in some educational institutions. The vulnerability resides in the Disabilities Module, specifically in the processing of the /intranet/educar_deficiencia_lst.php file. The issue arises from improper handling and sanitization of the input parameter "Deficiência ou Transtorno," which allows an attacker to inject malicious scripts. This vulnerability can be exploited remotely without authentication, requiring only user interaction to trigger the malicious payload. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is necessary to execute the exploit. The vulnerability impacts the confidentiality and integrity of user sessions by potentially enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim user. The vendor has been contacted but has not responded or provided a patch, and no known exploits are currently reported in the wild. However, public disclosure of the exploit details increases the risk of exploitation.

CVE Database V5

Detailed information about CVE-2025-7866: Cross Site Scripting in Portabilis i-Educar affecting Portabilis i-Educar. Get real-time updates, technical details, a

CVE-2025-7866: Cross Site Scripting in Portabilis i-Educar - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7866: Cross Site Scripting in Portabilis i-Educar

A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been declared as problematic. This vulnerability affects the function xssFilter of the file src/main/java/com/jeesite/common/codec/EncodeUtils.java of the component XSS Filter. The manipulation of the argument text leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue.

CVE-2025-7865 is a cross-site scripting (XSS) vulnerability identified in thinkgem JeeSite versions up to 5.12.0. The vulnerability resides in the xssFilter function within the EncodeUtils.java file, specifically in the XSS Filter component. This function is responsible for sanitizing or filtering input text to prevent malicious scripts from being executed in the context of a user's browser. However, due to improper handling or insufficient sanitization of the 'text' argument, an attacker can inject malicious scripts that execute when a victim views the affected content. The vulnerability can be exploited remotely without requiring authentication, though some user interaction is needed (e.g., the victim must visit a crafted URL or page). The disclosed exploit allows attackers to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or other client-side attacks. The vulnerability has a CVSS 4.0 base score of 5.1, categorized as medium severity, reflecting its moderate impact and ease of exploitation. A patch has been released (commit 3585737d21fe490ff6948d913fcbd8d99c41fc08) to address the issue by improving input sanitization in the xssFilter function. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts.

Detailed information about CVE-2025-7865: Cross Site Scripting in thinkgem JeeSite affecting thinkgem JeeSite. Get real-time updates, technical details, and mit

CVE-2025-7865: Cross Site Scripting in thinkgem JeeSite - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7865: Cross Site Scripting in thinkgem JeeSite

A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been classified as critical. This affects the function Upload of the file src/main/java/com/jeesite/modules/file/web/FileUploadController.java. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue.

CVE-2025-7864 is a critical vulnerability identified in thinkgem JeeSite versions up to 5.12.0, specifically affecting the file upload functionality implemented in src/main/java/com/jeesite/modules/file/web/FileUploadController.java. The vulnerability allows an attacker to perform unrestricted file uploads remotely without requiring user interaction or elevated privileges. This means that an attacker can upload arbitrary files, potentially including malicious scripts or executables, to the server hosting the JeeSite application. The unrestricted upload flaw arises from insufficient validation or filtering of uploaded files, enabling attackers to bypass security controls that normally restrict file types or content. Exploiting this vulnerability could lead to remote code execution, server compromise, data theft, or disruption of service. Although the CVSS 4.0 base score is 5.3 (medium severity), the potential impact can be significant depending on the deployment context. The vulnerability has a publicly disclosed exploit, increasing the risk of exploitation. A patch identified by commit 3585737d21fe490ff6948d913fcbd8d99c41fc08 is available and should be applied promptly to remediate the issue. The vulnerability does not require authentication or user interaction, making it easier for attackers to exploit remotely over the network. The vulnerability affects all versions from 5.0 through 5.12.0 of JeeSite, a Java-based enterprise application framework widely used for rapid development of web applications, particularly in China and some international markets.

Detailed information about CVE-2025-7864: Unrestricted Upload in thinkgem JeeSite affecting thinkgem JeeSite. Get real-time updates, technical details, and miti

CVE-2025-7864: Unrestricted Upload in thinkgem JeeSite - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7864: Unrestricted Upload in thinkgem JeeSite

A vulnerability was found in thinkgem JeeSite up to 5.12.0 and classified as problematic. Affected by this issue is the function redirectUrl of the file src/main/java/com/jeesite/common/web/http/ServletUtils.java. The manipulation of the argument url leads to open redirect. The attack may be launched remotely. The name of the patch is 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue.

CVE-2025-7863 is an open redirect vulnerability identified in the thinkgem JeeSite product, affecting all versions up to and including 5.12.0. The vulnerability resides in the redirectUrl function within the ServletUtils.java file (src/main/java/com/jeesite/common/web/http/ServletUtils.java). Specifically, the issue arises from improper validation or sanitization of the 'url' argument passed to this function, allowing an attacker to manipulate the redirect destination. This flaw enables an attacker to craft malicious URLs that appear to originate from a trusted JeeSite domain but redirect users to arbitrary external sites. The vulnerability can be exploited remotely without authentication, and no user privileges are required. However, user interaction is necessary, as the victim must click on a crafted link or be redirected through a compromised vector. The CVSS 4.0 base score is 5.1, categorizing it as a medium severity issue. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and user interaction required (UI:P). The impact primarily affects integrity (limited) and availability (none), with no confidentiality impact. No known exploits are currently reported in the wild, and a patch identified by commit 3d06b8d009d0267f0255acc87ea19d29d07cedc3 is recommended to remediate the issue.

Detailed information about CVE-2025-7863: Open Redirect in thinkgem JeeSite affecting thinkgem JeeSite. Get real-time updates, technical details, and mitigation

CVE-2025-7863: Open Redirect in thinkgem JeeSite - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7863: Open Redirect in thinkgem JeeSite

A vulnerability classified as problematic has been found in Portabilis i-Educar 2.9.0. Affected is an unknown function of the file /intranet/agenda.php of the component Agenda Module. The manipulation of the argument novo_titulo leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Detailed information about CVE-2025-7867: Cross Site Scripting in Portabilis i-Educar affecting Portabilis i-Educar. Get real-time updates, technical details, a

CVE-2025-7867: Cross Site Scripting in Portabilis i-Educar

CVE-2025-7867: Cross Site Scripting in Portabilis i-Educar

Description

Technical Details

Related Threats

CVE-2025-7866: Cross Site Scripting in Portabilis i-Educar

CVE-2025-7865: Cross Site Scripting in thinkgem JeeSite

CVE-2025-7864: Unrestricted Upload in thinkgem JeeSite

CVE-2025-7863: Open Redirect in thinkgem JeeSite

CVE-2025-7862: Missing Authentication in TOTOLINK T6

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility