CVE-2025-9104 is a cross-site scripting (XSS) vulnerability identified in Portabilis i-Diario versions up to 1.5.0. The vulnerability exists in the component Informações Adicionais Page, specifically within the /planos-de-aulas-por-disciplina/ file. The flaw arises from improper handling and sanitization of the argument Parecer/Objeto de Conhecimento/Habilidades, allowing an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary for the malicious script to execute (e.g., a victim clicking a crafted link). The CVSS 4.0 base score is 5.1 (medium severity), reflecting the ease of remote exploitation with low attack complexity but requiring user interaction and limited impact on confidentiality and integrity, with no impact on availability. The vendor has not responded to early notifications, and no patches or mitigations have been officially released. While no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation. XSS vulnerabilities can lead to session hijacking, defacement, phishing, or redirection to malicious sites, impacting users and potentially compromising sensitive information within the affected application environment.

For European organizations using Portabilis i-Diario, particularly educational institutions that rely on this software for managing lesson plans and related academic information, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the victim's browser, potentially stealing session cookies, impersonating users, or delivering malware. This could lead to unauthorized access to sensitive student or staff data, reputational damage, and disruption of educational activities. Since the vulnerability requires user interaction, phishing campaigns targeting staff or students could be a vector. The lack of vendor response and absence of patches increases exposure time. Additionally, compliance with GDPR mandates protection of personal data, and exploitation of this vulnerability could lead to data breaches with regulatory consequences. The impact is heightened in environments where i-Diario is integrated with other systems or where users have elevated privileges.

Organizations should implement immediate compensating controls while awaiting official patches. These include: 1) Applying web application firewall (WAF) rules to detect and block suspicious input patterns targeting the vulnerable parameters. 2) Conducting user awareness training to recognize phishing attempts that may deliver malicious links exploiting this XSS. 3) Implementing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 4) Reviewing and sanitizing all user-supplied input on the affected pages if custom modifications are possible. 5) Monitoring logs for unusual activity related to the vulnerable endpoints. 6) Isolating or restricting access to the affected application components where feasible. 7) Engaging with Portabilis or community forums for any unofficial patches or workarounds. 8) Planning for rapid deployment of patches once available. These measures go beyond generic advice by focusing on immediate, practical steps tailored to the vulnerability's nature and the affected environment.