CVE-2025-9106 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario application, specifically affecting versions up to 1.5.0. The vulnerability resides in the component handling the /planos-de-ensino-por-disciplina/ path, within the Informações Adicionais Page. The flaw arises from improper sanitization or validation of user-supplied input in the parameters Parecer, Conteúdos, and Objetivos. An attacker can remotely craft malicious input to these parameters, which is then reflected in the web page without adequate encoding or filtering, enabling execution of arbitrary JavaScript code in the context of the victim's browser. The vulnerability requires low privileges (PR:L) and user interaction (UI:P), meaning an attacker must trick a user into clicking a crafted link or visiting a malicious page. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality and integrity. The vendor has been contacted but has not responded or issued a patch, and no known exploits are currently observed in the wild. However, the exploit details have been publicly disclosed, increasing the risk of exploitation. XSS vulnerabilities can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, impacting users and the integrity of the affected web application. The lack of vendor response and patch availability increases exposure for organizations using i-Diario versions up to 1.5.0.

For European organizations using Portabilis i-Diario, particularly educational institutions that rely on this platform for managing teaching plans and related academic content, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute malicious scripts in the browsers of educators, students, or administrators, potentially leading to theft of session cookies, unauthorized actions on behalf of users, or distribution of malware. This could disrupt educational activities, compromise user privacy, and damage institutional reputation. Since the vulnerability requires user interaction, phishing or social engineering campaigns targeting users of the platform could be effective. The absence of a vendor patch and public disclosure increases the urgency for mitigation. Additionally, given the sensitive nature of educational data and the increasing focus on data protection under GDPR, any compromise could have regulatory and compliance implications for European entities.

Organizations should immediately implement input validation and output encoding controls at their application or web server level as a temporary mitigation. Web Application Firewalls (WAFs) can be configured to detect and block suspicious payloads targeting the vulnerable parameters (Parecer, Conteúdos, Objetivos). User awareness training should be enhanced to reduce the risk of phishing or social engineering attacks exploiting this vulnerability. Monitoring and logging of web application traffic should be increased to detect potential exploitation attempts. If possible, organizations should consider upgrading to a newer, unaffected version of i-Diario once available or applying custom patches to sanitize inputs. Isolating the affected component or restricting access to trusted users can reduce exposure. Regular backups and incident response plans should be reviewed and updated to prepare for potential exploitation scenarios.