CVE-2025-8786 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario software, versions 1.0 through 1.5.0. The vulnerability resides in an unspecified function within the /registros-de-conteudos-por-areas-de-conhecimento/ path of the Registro das atividades component. Specifically, the vulnerability arises from improper sanitization or validation of the 'Registro de atividades/Conteúdos' argument, which allows an attacker to inject malicious scripts. This injection can be triggered remotely without authentication, requiring only user interaction to execute the malicious payload. The vulnerability has been publicly disclosed, and although no known exploits are currently active in the wild, the availability of the exploit code increases the risk of exploitation. The vendor, Portabilis, has not responded to the disclosure, and no patches or mitigations have been officially released. The CVSS v4.0 score of 5.1 reflects a medium severity level, indicating a moderate risk primarily due to the potential for limited confidentiality and integrity impact, with no direct effect on availability. The attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary for exploitation. The vulnerability could allow attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the affected application.

For European organizations using Portabilis i-Diario, particularly educational institutions or administrative bodies that rely on this software for activity registration and content management, this vulnerability poses a tangible risk. Successful exploitation could lead to the compromise of user sessions, exposure of sensitive data, and unauthorized actions performed on behalf of legitimate users. Given that the vulnerability requires user interaction, phishing or social engineering campaigns could be employed to trigger the XSS payload. This could undermine trust in the affected systems, lead to data breaches involving personal or educational records, and potentially disrupt administrative workflows. The lack of vendor response and absence of patches exacerbate the risk, as organizations may be forced to rely on temporary mitigations. The impact is heightened in environments where i-Diario is integrated with other critical systems or where users have elevated privileges. Additionally, the public disclosure of the exploit code increases the likelihood of opportunistic attacks targeting European entities.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include deploying web application firewalls (WAFs) with custom rules to detect and block malicious input patterns targeting the vulnerable parameter. Input validation and output encoding should be enforced at the application level where possible, potentially through custom development or middleware solutions. Organizations should conduct user awareness training to reduce the risk of successful social engineering attacks that could trigger the XSS payload. Monitoring and logging of web application traffic should be enhanced to detect anomalous activities indicative of exploitation attempts. If feasible, isolating or restricting access to the vulnerable component can reduce exposure. Additionally, organizations should engage with Portabilis for updates and consider alternative software solutions if remediation is delayed. Regular security assessments and penetration tests focusing on this vulnerability can help identify and mitigate risks proactively.