CVE-2025-8920 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Diario version 1.6, specifically within the component handling the Dicionário de Termos BNCC page, located at the /dicionario-de-termos-bncc endpoint. The vulnerability arises from improper sanitization or validation of the 'Planos de ensino' argument, allowing an attacker to inject malicious scripts that execute in the context of a victim's browser. This vulnerability can be exploited remotely without authentication, although it requires user interaction (e.g., a user visiting a crafted URL). The vendor has not responded to early notifications, and no patches have been released as of the publication date. The CVSS 4.0 base score is 4.8, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H is unusual but likely a typo or misconfiguration; assuming no privileges required), user interaction required (UI:P), and limited impact on integrity (VI:L), with no impact on confidentiality or availability. The exploit allows attackers to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or other client-side attacks. Although no known exploits are currently in the wild, public disclosure increases the risk of exploitation. The lack of vendor response and patch availability increases the urgency for affected organizations to implement mitigations.

For European organizations using Portabilis i-Diario 1.6, particularly educational institutions or government bodies managing educational data, this XSS vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Attackers could leverage this flaw to perform phishing attacks, steal authentication tokens, or manipulate user interactions, potentially leading to unauthorized access or data leakage. Although the vulnerability does not directly impact system availability, the reputational damage and potential regulatory consequences (e.g., GDPR violations due to data exposure) could be significant. The risk is heightened in environments where users have elevated privileges or access sensitive educational records. Additionally, since the vulnerability is remotely exploitable and requires only user interaction, it could be exploited via malicious links sent through email or messaging platforms, increasing the attack surface. The absence of vendor patches means organizations must rely on compensating controls to mitigate risk.

1. Implement strict input validation and output encoding on the 'Planos de ensino' parameter to prevent script injection. Since no official patch is available, organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable endpoint. 2. Educate users about the risks of clicking on suspicious links and implement security awareness training focused on phishing and social engineering. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the i-Diario application. 4. Monitor web server logs and application logs for unusual requests or patterns indicative of exploitation attempts. 5. If feasible, isolate the vulnerable component or restrict access to trusted networks until a vendor patch is released. 6. Engage with Portabilis or community forums to track patch releases or unofficial fixes. 7. Regularly update and audit all web-facing applications to identify and remediate similar vulnerabilities proactively.