CVE-2025-9105 is a Cross Site Scripting (XSS) vulnerability identified in Portabilis i-Diario versions up to 1.5.0. The vulnerability resides in the component Informações Adicionais Page, specifically within the file path /planos-de-ensino-por-areas-de-conhecimento/. The issue arises from improper sanitization or validation of the input parameters Parecer, Conteúdos, and Objetivos, which are user-controllable arguments. An attacker can craft malicious input that, when processed by the vulnerable page, results in the execution of arbitrary JavaScript code in the context of the victim's browser. This type of vulnerability allows remote attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites without requiring authentication. The vulnerability is remotely exploitable and requires user interaction, such as visiting a maliciously crafted URL or interacting with manipulated content. The vendor was notified early but has not responded or issued a patch, and no official remediation is currently available. The CVSS v4.0 base score is 5.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited impact on confidentiality and integrity. Although no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation by opportunistic attackers.

For European organizations using Portabilis i-Diario, especially educational institutions or government bodies managing academic records and teaching plans, this vulnerability poses a risk of client-side attacks. Successful exploitation could lead to theft of session cookies, enabling attackers to impersonate legitimate users and potentially access sensitive educational data or administrative functions. It could also facilitate phishing attacks by injecting malicious scripts that redirect users to fraudulent sites. While the vulnerability does not directly compromise server integrity or availability, the loss of confidentiality and trust could disrupt operations and damage reputations. Given the educational focus of the product, the impact on minors or sensitive student data could raise compliance concerns under GDPR and other data protection regulations. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls to mitigate risk.

Since no official patch is available, European organizations should implement the following specific mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable parameters (Parecer, Conteúdos, Objetivos). 2) Conduct thorough input validation and output encoding on any user-supplied data before rendering it in the browser, if customization or internal development is possible. 3) Educate users to avoid clicking on suspicious links or interacting with untrusted content related to the affected pages. 4) Monitor web server logs for unusual requests targeting the vulnerable endpoints to detect potential exploitation attempts. 5) Consider isolating or restricting access to the affected component or disabling the vulnerable functionality temporarily if feasible. 6) Plan for an upgrade or migration to a patched or alternative solution once available. 7) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the affected application.