CVE-2025-7872 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Diario version 1.5.0, a software product used primarily in educational environments for managing school diaries and attendance records. The vulnerability arises from improper sanitization or validation of the 'Justificativa' parameter within the /justificativas-de-falta endpoint. An attacker can craft a malicious payload that, when processed by the vulnerable endpoint, injects executable script code into the web application. This script can then execute in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is remotely exploitable without requiring authentication, although user interaction is necessary to trigger the malicious script (e.g., the victim must visit a crafted URL or interact with a malicious link). The CVSS 4.0 base score is 5.1, indicating a medium severity level, reflecting the moderate impact on confidentiality and integrity, limited impact on availability, and the requirement for user interaction. The vendor was notified but has not responded or issued a patch, and no known exploits are currently observed in the wild. Given the public disclosure of the vulnerability and the lack of vendor response, the risk of exploitation may increase over time.

For European organizations, particularly educational institutions using Portabilis i-Diario 1.5.0, this XSS vulnerability poses a risk to the confidentiality and integrity of user data. Attackers exploiting this flaw could hijack user sessions, steal sensitive information such as student records or staff credentials, and potentially manipulate attendance or justification records. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and operational disruptions. Since the product is used in schools, the exposure of minors' data is a critical concern under European data protection laws. The requirement for user interaction somewhat limits the attack vector, but phishing or social engineering campaigns could facilitate exploitation. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls.

European organizations should immediately implement input validation and output encoding at the application or web server level as a temporary mitigation to prevent script injection via the 'Justificativa' parameter. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting /justificativas-de-falta can reduce exposure. User education campaigns to raise awareness about phishing and suspicious links are critical to minimize user interaction risks. Organizations should monitor network and application logs for unusual activity related to this endpoint. If feasible, isolating or restricting access to the affected module until a vendor patch is available can reduce risk. Additionally, organizations should engage with Portabilis for updates and consider alternative solutions if remediation is delayed. Regular security assessments and penetration testing focusing on XSS vulnerabilities should be conducted to identify similar issues.