CVE-2025-8365 is a cross-site scripting (XSS) vulnerability identified in version 2.10 of Portabilis i-Educar, an educational management system. The vulnerability resides in an unspecified functionality within the atendidos_cad.php file, where the manipulation of input parameters such as nome, nome_social, or email can lead to the injection of malicious scripts. This flaw allows an attacker to craft specially crafted requests that, when processed by the vulnerable application, execute arbitrary JavaScript code in the context of the victim's browser. The attack can be launched remotely without requiring prior authentication, although it does require some user interaction (e.g., the victim visiting a malicious link or page). The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The vector details show that the attack is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but does require user interaction (UI:P). The impact primarily affects the integrity and confidentiality of user data by enabling script execution that could steal session tokens, perform actions on behalf of users, or redirect users to malicious sites. The vendor was notified early but has not responded or issued a patch, and although no known exploits are currently in the wild, public disclosure of the exploit code increases the risk of exploitation.

For European organizations using Portabilis i-Educar 2.10, this vulnerability poses a significant risk to the confidentiality and integrity of user data, particularly sensitive student and staff information managed within the platform. Successful exploitation could lead to session hijacking, unauthorized actions within the system, or phishing attacks targeting users of the platform. Educational institutions are often targeted due to the valuable personal data they hold and the critical nature of their services. Disruption or compromise could affect operational continuity and trust in the institution's digital infrastructure. Given the remote exploitability and lack of vendor response, the risk of exploitation may increase over time, especially as attackers develop automated tools to leverage the disclosed vulnerability. The medium severity rating suggests moderate impact, but the educational sector's sensitivity to data breaches and regulatory requirements such as GDPR heighten the consequences of such an attack in Europe.

Organizations should immediately audit their use of Portabilis i-Educar 2.10 and identify any instances of the vulnerable atendidos_cad.php functionality. Since no official patch is available, mitigation should focus on implementing input validation and output encoding on the affected parameters (nome, nome_social, email) to neutralize malicious scripts. Web application firewalls (WAFs) can be configured with custom rules to detect and block common XSS payloads targeting these parameters. Additionally, organizations should educate users about the risks of clicking on suspicious links and encourage the use of modern browsers with built-in XSS protections. Monitoring logs for unusual activity related to these parameters can help detect attempted exploitation. If feasible, consider isolating or restricting access to the vulnerable module until a vendor patch or workaround is available. Finally, maintain regular backups and incident response plans tailored to web application attacks.