CVE-2025-7872 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Diario version 1.5.0, an educational management software platform. The vulnerability arises from improper handling of the 'Justificativa' parameter in the /justificativas-de-falta endpoint. Specifically, the application fails to adequately sanitize or encode user-supplied input in this parameter, allowing an attacker to inject malicious scripts. When a victim accesses a crafted URL or submits manipulated input, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability is remotely exploitable without authentication, requiring only user interaction (such as clicking a malicious link). The CVSS 4.0 base score is 5.1, reflecting a medium severity level due to the ease of exploitation (network accessible, no privileges required) but limited impact on confidentiality and integrity (no direct data breach or system compromise). The vendor has been notified but has not responded or issued a patch, and no known exploits are currently observed in the wild. This lack of vendor response increases the risk of exploitation as attackers may develop and deploy exploits independently. The vulnerability affects version 1.5.0 of i-Diario, and no mitigations or patches are currently available from the vendor. Organizations using this version are exposed to potential XSS attacks targeting their users, which can undermine trust and lead to further compromise if combined with other vulnerabilities or social engineering techniques.

For European organizations, particularly educational institutions and administrative bodies using Portabilis i-Diario 1.5.0, this vulnerability poses a risk to user data confidentiality and integrity. Successful exploitation could allow attackers to hijack user sessions, steal authentication tokens, or perform unauthorized actions on behalf of users, potentially disrupting educational operations or exposing sensitive student and staff information. Given the software's role in managing attendance and justifications for absences, manipulation of this data could affect administrative decisions or records. While the vulnerability does not directly compromise system availability, the reputational damage and potential regulatory implications under GDPR for inadequate protection of personal data could be significant. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls. The medium severity rating suggests a moderate risk, but the ease of remote exploitation without authentication means attackers could target users broadly, especially if phishing or social engineering is employed to induce user interaction.

1. Implement strict input validation and output encoding on all user-supplied data, especially the 'Justificativa' parameter, to neutralize malicious scripts. If modifying the application code is not immediately feasible, deploy web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable endpoint. 2. Educate users about the risks of clicking unsolicited links and encourage cautious behavior regarding emails or messages referencing the i-Diario platform. 3. Restrict browser permissions and employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 4. Monitor application logs and network traffic for unusual patterns indicative of exploitation attempts. 5. Engage with the vendor persistently to request patches or official guidance, and consider upgrading to newer versions if available. 6. If possible, isolate the vulnerable application behind VPN or internal networks to reduce exposure to external attackers. 7. Regularly review and update incident response plans to address potential XSS exploitation scenarios.