CVE-2025-8788 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario software, versions up to and including 1.5.0. The vulnerability resides in the component 'Informações adicionais', specifically within the functionality related to the file path /planos-de-aula-por-areas-de-conhecimento/. The issue arises due to improper sanitization or validation of the input parameters Parecer, Conteúdos, and Objetivos, which can be manipulated by an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although it requires some user interaction (e.g., a victim visiting a crafted URL or page). The CVSS v4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is necessary. The vulnerability impacts confidentiality and integrity to a limited extent, as it allows execution of arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vendor was notified but did not respond or issue a patch, and no official fixes are currently available. Although no known exploits are reported in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability affects all versions from 1.0 through 1.5.0 of the i-Diario product, which is an educational management system used primarily in Brazil but may have deployments in other countries. The lack of vendor response and patch availability increases the urgency for organizations to implement mitigations to reduce risk.

For European organizations using Portabilis i-Diario, this XSS vulnerability could lead to unauthorized script execution within users' browsers, potentially compromising sensitive educational data, user credentials, or session tokens. This could result in unauthorized access to student records, grade manipulation, or leakage of personal information, impacting confidentiality and integrity. Additionally, successful exploitation could facilitate phishing attacks or malware distribution by redirecting users to malicious sites. While the vulnerability does not directly affect system availability, the reputational damage and regulatory consequences under GDPR for data breaches could be significant. European educational institutions or administrative bodies using this software are at risk of targeted attacks, especially if the software is integrated with other critical systems. The medium severity rating suggests a moderate risk, but the lack of patches and public exploit availability heighten the threat level. Organizations must consider the potential for exploitation in environments with less stringent user awareness or where users have elevated privileges.

Given the absence of an official patch, European organizations should implement the following specific mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable parameters (Parecer, Conteúdos, Objetivos) in the affected URL path. 2) Conduct input validation and output encoding at the application or proxy level where possible to sanitize user inputs and prevent script injection. 3) Restrict access to the affected component or URL path to trusted users or networks using access control lists or VPNs. 4) Educate users about the risks of clicking on suspicious links and implement browser security policies such as Content Security Policy (CSP) headers to limit script execution. 5) Monitor logs for unusual requests or error patterns indicative of exploitation attempts. 6) Plan for an upgrade or migration to alternative software solutions if vendor support remains unavailable. 7) Isolate the i-Diario system from critical infrastructure to contain potential breaches. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable parameters and component.