CVE-2025-8511 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Diario version 1.5.0, specifically within the Observações component at the /diario-de-observacoes/ endpoint. The vulnerability arises from improper sanitization or validation of the 'Descrição' parameter, which allows an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication, although user interaction is necessary for the malicious script to execute (e.g., a victim clicking a crafted link or viewing a manipulated page). The vulnerability has been publicly disclosed, and while no known exploits are currently observed in the wild, the availability of exploit details increases the risk of future attacks. The vendor has not responded to notifications, and no patches or mitigations have been released at this time. The CVSS v4.0 base score is 5.1, reflecting a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L), with no impact on availability or scope changes. This vulnerability primarily threatens the confidentiality and integrity of user sessions and data by enabling script injection, potentially leading to session hijacking, defacement, or redirection to malicious sites.

For European organizations using Portabilis i-Diario 1.5.0, particularly educational institutions or administrative bodies managing student records and observations, this vulnerability poses a risk of unauthorized script execution within users' browsers. This can lead to theft of session cookies, credential compromise, or manipulation of displayed data, undermining trust and data integrity. Given the nature of i-Diario as an educational diary platform, exploitation could disrupt communication between educators, students, and parents, potentially exposing sensitive student information. The medium severity score suggests moderate risk, but the lack of vendor response and patch availability elevates the urgency. Additionally, the remote exploitability without authentication broadens the attack surface. European organizations must consider compliance with GDPR, as any data breach or unauthorized data access resulting from this vulnerability could lead to regulatory penalties and reputational damage.

Since no official patch is available, European organizations should implement immediate compensating controls. These include deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'Descrição' parameter in /diario-de-observacoes/. Input validation and output encoding should be enforced at the application layer if source code access is possible, sanitizing user inputs to neutralize scripts. Organizations should also educate users to avoid clicking suspicious links and monitor logs for unusual activity related to this endpoint. Network segmentation can limit exposure of the i-Diario system to only trusted users. Regular vulnerability scanning and penetration testing focused on XSS vectors should be conducted. Finally, organizations should maintain close monitoring for any vendor updates or community patches and plan for timely application once available.