CVE-2025-8540 is a cross-site scripting (XSS) vulnerability identified in version 2.10 of Portabilis i-Educar, an educational management software platform. The vulnerability arises from improper sanitization of the 'nome' parameter in the /intranet/public_municipio_cad.php file, allowing an attacker to inject malicious scripts. This flaw can be exploited remotely without authentication, requiring only user interaction to trigger the malicious payload. The vulnerability is classified as medium severity with a CVSS 4.8 score, reflecting its moderate impact and ease of exploitation. The vendor has been notified but has not responded or issued a patch. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability primarily affects the confidentiality and integrity of user sessions and data by enabling script injection, which could lead to session hijacking, defacement, or redirection to malicious sites. Availability impact is minimal. The vulnerability does not require elevated privileges but does require user interaction, such as clicking a crafted link or visiting a malicious page that exploits the vulnerable parameter.

For European organizations using Portabilis i-Educar 2.10, particularly educational institutions and municipal education departments, this vulnerability poses a risk to the confidentiality and integrity of user data and sessions. Successful exploitation could allow attackers to steal authentication tokens, perform actions on behalf of users, or deliver malware through the application interface. This could disrupt educational operations, compromise sensitive student or staff information, and damage institutional reputation. Given the software's role in managing educational data, the impact extends to compliance with data protection regulations such as GDPR. Although the vulnerability does not directly impact system availability, the indirect consequences of data breaches or unauthorized access could be significant. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls.

Since no official patch is available, European organizations should implement immediate mitigations including: 1) Input validation and output encoding: Apply strict server-side input validation and sanitize the 'nome' parameter to neutralize malicious scripts before rendering. 2) Web Application Firewall (WAF): Deploy or update WAF rules to detect and block XSS attack patterns targeting the vulnerable parameter. 3) Content Security Policy (CSP): Implement CSP headers to restrict the execution of unauthorized scripts within the application context. 4) User awareness: Educate users to avoid clicking suspicious links or interacting with untrusted content related to the application. 5) Monitoring and logging: Enhance monitoring to detect anomalous activities indicative of XSS exploitation attempts. 6) Segmentation and least privilege: Limit access to the intranet application to trusted networks and users to reduce exposure. 7) Vendor engagement: Continue efforts to engage the vendor for an official patch and consider alternative software if remediation is delayed. These measures collectively reduce the risk until a formal fix is released.