CVE-2025-8787 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario software, specifically affecting versions up to 1.5.0. The vulnerability resides in an unspecified functionality within the /registros-de-conteudos-por-disciplina/ path of the Registro das atividades component. The issue arises from improper sanitization or validation of the 'Registro de atividades/Conteúdos' argument, allowing an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although it does require some user interaction (e.g., a victim clicking a crafted link or viewing manipulated content). The disclosed CVSS 4.0 vector indicates a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, which suggests limited privileges but not full authentication), and user interaction needed (UI:P). The impact primarily affects confidentiality and integrity at a low level, with no direct impact on availability. The vendor was notified early but did not respond, and no patches or mitigations have been published yet. Although no known exploits are currently in the wild, public disclosure increases the risk of exploitation attempts. Given the nature of XSS, successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed in the context of a legitimate user, potentially compromising user data and trust in the affected system.

For European organizations using Portabilis i-Diario, particularly educational institutions or administrative bodies relying on this software for managing academic records and activities, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to sensitive student or staff information, manipulation of academic content, and potential phishing or social engineering attacks leveraging the trusted platform. The impact on confidentiality and integrity could undermine data privacy compliance obligations under GDPR, leading to legal and reputational consequences. Additionally, since the vulnerability requires user interaction, targeted attacks against staff or students are plausible, increasing the risk of credential compromise and lateral movement within organizational networks. The lack of vendor response and absence of patches heighten the urgency for organizations to implement compensating controls to mitigate exposure.

Organizations should immediately audit their deployment of Portabilis i-Diario to identify affected versions (1.0 through 1.5.0) and restrict access to the vulnerable component where possible. Implementing web application firewalls (WAFs) with custom rules to detect and block malicious input patterns targeting the 'Registro de atividades/Conteúdos' parameter can reduce exploitation risk. User input sanitization and output encoding should be enforced at the application level if source code access is available, or through proxy solutions that sanitize traffic. Educating users about the risks of clicking suspicious links and monitoring logs for unusual activity related to the vulnerable endpoint are critical. Organizations should also isolate the affected system within the network to limit potential lateral movement. Since no official patch exists, maintaining close monitoring of vendor communications and threat intelligence feeds for updates or unofficial patches is recommended. Finally, consider implementing Content Security Policy (CSP) headers to mitigate the impact of XSS attacks by restricting script execution contexts.