CVE-2025-8786 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario software, versions up to and including 1.5.0. The vulnerability exists in an unspecified function within the /registros-de-conteudos-por-areas-de-conhecimento/ path of the Registro das atividades component. Specifically, the vulnerability arises from improper sanitization or validation of the 'Registro de atividades/Conteúdos' argument, which allows an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious payload. The vulnerability has been publicly disclosed, and while no known exploits are currently observed in the wild, the public availability of the exploit code increases the risk of exploitation. The vendor, Portabilis, was notified early but has not responded or provided a patch, leaving affected users exposed. The CVSS v4.0 score is 5.1, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, but user interaction needed. The impact primarily affects confidentiality and integrity, with limited impact on availability. The vulnerability could be leveraged to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the application context.

For European organizations using Portabilis i-Diario, particularly educational institutions or administrative bodies relying on this software for activity registration and content management, this vulnerability poses a moderate risk. Successful exploitation could lead to theft of user credentials, session tokens, or unauthorized actions performed on behalf of legitimate users, potentially compromising sensitive educational data or user privacy. Given that the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure users into triggering the malicious payload. The lack of vendor response and absence of patches increases the window of exposure. Furthermore, if the software is integrated with other systems or contains sensitive student or staff data, the impact could extend beyond the immediate application. However, the medium severity and requirement for user interaction somewhat limit the scope of damage. Still, organizations could face reputational damage, regulatory scrutiny under GDPR for data breaches, and operational disruptions if attackers leverage this vulnerability as an entry point for further attacks.

Organizations should implement several specific measures to mitigate this vulnerability: 1) Employ web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable parameter. 2) Conduct thorough input validation and output encoding on the affected parameter within any custom integrations or extensions if source code access is available. 3) Educate users on phishing and social engineering risks to reduce the likelihood of successful exploitation requiring user interaction. 4) Monitor application logs for suspicious activity related to the Registro das atividades component, focusing on unusual input patterns or script injections. 5) If feasible, isolate the i-Diario application within a segmented network zone to limit lateral movement in case of compromise. 6) Engage with Portabilis or community forums for updates or unofficial patches, and consider alternative software solutions if no vendor remediation is forthcoming. 7) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 8) Regularly back up application data to enable recovery in case of compromise.