CVE-2025-8919 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario software, versions 1.0 through 1.6. The vulnerability resides in an unspecified function within the /objetivos-de-aprendizagem-e-habilidades file, part of the History Page component. Specifically, the flaw arises from improper handling and sanitization of the 'código/objetivo habilidade' parameter, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is exploitable remotely without requiring authentication, but it does require user interaction to trigger the malicious payload (e.g., a victim clicking a crafted link). The vendor has been notified but has not responded or issued a patch. The CVSS v4.0 base score is 4.8 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed. The impact primarily affects confidentiality and integrity at a low level, with no direct impact on availability or system control. Although no known exploits are currently in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability could allow attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the affected web application.

For European organizations using Portabilis i-Diario, particularly educational institutions or administrative bodies managing learning objectives and student records, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to sensitive student data or manipulation of educational records through session hijacking or theft of authentication tokens. Given that i-Diario is an educational management platform, the confidentiality and integrity of student information and academic records are critical. An attacker exploiting this XSS flaw could also conduct phishing attacks or deliver malware via the compromised web interface. While the vulnerability does not directly impact system availability, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls to mitigate the risk.

Organizations should immediately implement input validation and output encoding controls on the 'código/objetivo habilidade' parameter to prevent injection of malicious scripts. Web application firewalls (WAFs) can be configured with custom rules to detect and block suspicious payloads targeting this parameter. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly monitor web server logs for unusual requests or patterns indicative of exploitation attempts. Since no official patch is available, organizations should consider isolating or restricting access to the affected component where feasible. User awareness training is also critical to reduce the risk of users interacting with malicious links. Finally, organizations should engage with Portabilis for updates and consider alternative solutions if remediation is delayed.