CVE-2025-8368 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Educar version 2.9, specifically within the /intranet/pesquisa_pessoa_lst.php file. The vulnerability arises from improper sanitization or validation of user-supplied input in the 'campo_busca' or 'cpf' parameters, which allows an attacker to inject malicious scripts. This vulnerability is exploitable remotely without requiring authentication, and user interaction is needed to trigger the malicious payload, typically by tricking a user into clicking a crafted link or visiting a malicious page. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user authentication needed (AT:N). However, user interaction (UI:P) is necessary to execute the attack. The vulnerability impacts the confidentiality and integrity of the affected system by potentially allowing attackers to execute arbitrary scripts in the context of the victim's browser session, leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. The vendor was notified but has not responded or released a patch, and no official remediation is currently available. Although no known exploits are reported in the wild, the public disclosure of the exploit code increases the risk of exploitation.

For European organizations using Portabilis i-Educar 2.9, particularly educational institutions managing sensitive student and staff data, this vulnerability poses a significant risk. Successful exploitation could lead to theft of session cookies, enabling attackers to impersonate users and access confidential information such as personal identification data, academic records, and internal communications. This could result in data breaches violating GDPR regulations, leading to legal and financial repercussions. Additionally, attackers might perform unauthorized actions within the application, potentially disrupting educational operations or escalating privileges. The remote exploitability without authentication increases the attack surface, especially if the affected systems are accessible over the internet or within intranet environments with insufficient network segmentation. The lack of vendor response and patches exacerbates the risk, as organizations must rely on alternative mitigations to protect their environments.

Given the absence of an official patch, European organizations should implement several targeted mitigations: 1) Apply strict input validation and output encoding at the application or web server level, using web application firewalls (WAFs) configured to detect and block malicious payloads targeting the 'campo_busca' and 'cpf' parameters. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the i-Educar application. 3) Limit access to the vulnerable intranet page by network segmentation and IP whitelisting, ensuring only trusted users can reach the affected endpoint. 4) Educate users about the risks of clicking suspicious links and implement browser security features such as anti-XSS extensions. 5) Monitor logs for unusual input patterns or repeated attempts to exploit the vulnerability. 6) Consider deploying reverse proxies or application gateways that can sanitize inputs before reaching the application. 7) Plan for an upgrade or migration to a patched or alternative solution once available, and maintain communication with the vendor for updates.