CVE-2025-8545 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Educar version 2.10, specifically within the file /intranet/educar_motivo_afastamento_cad.php. The vulnerability arises from improper sanitization or validation of the 'nm_motivo' parameter, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is classified as problematic with a CVSS 4.8 (medium) score, indicating a moderate level of risk. The attack vector is network-based (AV:N), requiring no privileges (PR:H indicates high privileges, but the vector suggests no privileges needed, which may be a discrepancy), no user interaction (UI:P means user interaction is required), and no scope change. The vulnerability impacts confidentiality minimally (VC:N), has low impact on integrity (VI:L), and no impact on availability (VA:N). The vendor has been contacted but has not responded or issued a patch, and a public exploit disclosure exists, increasing the risk of exploitation. The vulnerability allows remote attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the affected web application. Given that i-Educar is an educational management system, exploitation could compromise sensitive student and staff data or disrupt educational operations.

For European organizations, particularly educational institutions using Portabilis i-Educar 2.10, this vulnerability poses a risk to the confidentiality and integrity of sensitive data such as student records, staff information, and internal communications. Successful exploitation could enable attackers to perform session hijacking, steal authentication tokens, or conduct phishing attacks within the trusted environment of the application. This could lead to unauthorized data access, manipulation of educational records, or reputational damage. Additionally, the presence of a public exploit increases the likelihood of opportunistic attacks. Although the CVSS score is medium, the lack of vendor response and patch availability prolongs exposure. European educational institutions are increasingly targeted by cyber adversaries, making timely mitigation critical to prevent data breaches and maintain compliance with GDPR and other data protection regulations.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and output encoding on the 'nm_motivo' parameter at the web application firewall (WAF) or reverse proxy level to block malicious scripts. 2) Employing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Conducting thorough code reviews and temporary code-level sanitization if source code access is available. 4) Restricting access to the vulnerable intranet page to trusted IP addresses or VPN users only. 5) Monitoring web server logs for suspicious requests targeting the vulnerable parameter. 6) Educating users about phishing risks and suspicious activity. 7) Planning for an upgrade or migration to a patched version once available or considering alternative solutions if vendor support remains absent. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable parameter and the operational context of the affected application.