CVE-2025-8542 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Educar version 2.10, specifically affecting the processing of the /intranet/empresas_cad.php file. The vulnerability arises from improper sanitization or validation of user-supplied input in the 'fantasia' or 'razao_social' parameters, which can be manipulated to inject malicious scripts. This flaw allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they access a crafted URL or page. The vulnerability is remotely exploitable without authentication, but requires user interaction to trigger the malicious payload, such as clicking a link or visiting a compromised page. The CVSS 4.0 base score is 4.8 (medium severity), reflecting the network attack vector, low complexity, no privileges required, but requiring user interaction and only limited impact on integrity. The vendor has been contacted but has not responded or provided a patch, and no known exploits are currently observed in the wild. The disclosure is public, increasing the risk of exploitation attempts. The vulnerability could be leveraged to steal session cookies, perform actions on behalf of authenticated users, or conduct phishing attacks within the affected application environment.

For European organizations using Portabilis i-Educar 2.10, particularly educational institutions or administrative bodies managing school data, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Successful exploitation could lead to session hijacking, unauthorized actions within the application, or distribution of malicious content to users, potentially undermining trust and compliance with data protection regulations such as GDPR. While the vulnerability does not directly impact availability, the reputational damage and potential data breaches could have significant operational and legal consequences. The medium severity rating suggests a moderate risk, but the lack of vendor response and patch increases exposure. Organizations relying on this software should be aware of the threat and consider the sensitivity of the data handled by i-Educar in their risk assessments.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and output encoding at the web application firewall (WAF) or reverse proxy level to filter or sanitize suspicious input in the 'fantasia' and 'razao_social' parameters. 2) Enforcing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Educating users to avoid clicking on suspicious links or unsolicited URLs related to the i-Educar application. 4) Monitoring web server logs and application behavior for unusual requests targeting the vulnerable parameters. 5) If feasible, isolating or restricting access to the intranet portion of the application to trusted networks or VPN users only. 6) Planning for an upgrade or migration to a patched or alternative solution once available. 7) Engaging with Portabilis or community forums to track any forthcoming patches or advisories.