CVE-2025-8367 is a cross-site scripting (XSS) vulnerability identified in version 2.9 of Portabilis i-Educar, an educational management system. The vulnerability exists in the /intranet/funcionario_vinculo_lst.php file, specifically through improper handling of the 'nome' parameter. This flaw allows an attacker to inject malicious scripts that execute in the context of a victim's browser when they access a crafted URL or input. The vulnerability is remotely exploitable without requiring authentication, and user interaction is needed to trigger the malicious payload, such as clicking a malicious link or visiting a compromised page. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, and user interaction needed. The impact primarily affects confidentiality and integrity, with limited impact on availability. The vendor has been contacted but has not responded or issued a patch, and no known exploits are currently in the wild. Given the public disclosure, the risk of exploitation may increase over time. XSS vulnerabilities can be leveraged for session hijacking, credential theft, or delivering further malware, especially in web applications handling sensitive user data like educational records.

For European organizations using Portabilis i-Educar 2.9, this vulnerability poses a moderate risk. Educational institutions often manage sensitive personal data of students and staff, so exploitation could lead to unauthorized access to confidential information or session hijacking. This could result in data breaches, reputational damage, and regulatory non-compliance under GDPR. The remote exploitability without authentication increases the attack surface, especially if the affected systems are accessible from the internet or internal networks with many users. However, the requirement for user interaction somewhat limits automated exploitation. The lack of vendor response and patch availability means organizations must rely on other mitigations, increasing operational risk. If exploited, attackers could manipulate user sessions or inject malicious content, potentially disrupting educational services or compromising user trust.

European organizations should immediately implement input validation and output encoding controls on the 'nome' parameter within their deployment of i-Educar, if possible, to neutralize malicious scripts. Deploying a Web Application Firewall (WAF) with custom rules to detect and block typical XSS payloads targeting the vulnerable endpoint can provide a temporary protective layer. Organizations should restrict access to the intranet interface hosting the vulnerable script to trusted networks and authenticated users only, reducing exposure. Regularly monitoring web server logs for suspicious requests targeting /intranet/funcionario_vinculo_lst.php can help detect exploitation attempts early. User awareness training to recognize phishing or suspicious links can reduce the risk of successful user interaction exploitation. Finally, organizations should engage with Portabilis or community forums for updates or unofficial patches and plan for an upgrade once a fix is available.