CVE-2025-9107 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Diario software versions up to 1.5.0. The vulnerability arises from improper handling of the 'q' parameter in the /alunos/search_autocomplete endpoint. An attacker can craft malicious input for this parameter, which is then reflected in the web application's response without adequate sanitization or encoding, enabling the execution of arbitrary scripts in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, although it requires user interaction to trigger the malicious payload (e.g., a victim clicking a crafted link). The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user authentication needed. The impact primarily affects confidentiality and integrity to a limited extent, as the vulnerability allows script execution that could lead to session hijacking, credential theft, or defacement, but does not directly compromise availability or system-level access. The vendor has been notified but has not responded or issued a patch, and no known exploits have been observed in the wild yet. Given the public disclosure and the nature of XSS vulnerabilities, exploitation is plausible especially in environments where users are less security-aware or where the affected software is widely deployed without mitigations such as Content Security Policy (CSP).

For European organizations using Portabilis i-Diario, particularly educational institutions or administrative bodies that rely on this software for student management, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data confidentiality. Successful exploitation could lead to unauthorized access to user accounts, leakage of sensitive student information, or manipulation of displayed data. While the vulnerability does not directly affect system availability, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. The risk is heightened in environments where users have elevated privileges or where the software is integrated with other sensitive systems. Additionally, since the vendor has not provided a patch, organizations may face prolonged exposure. The medium severity suggests that while the threat is not critical, it should not be ignored, especially given the public disclosure and ease of remote exploitation without authentication.

European organizations should implement specific mitigations beyond generic advice: 1) Deploy Web Application Firewalls (WAFs) with rules targeting reflected XSS patterns, particularly filtering or blocking suspicious input in the 'q' parameter of the /alunos/search_autocomplete endpoint. 2) Apply strict Content Security Policies (CSP) to restrict script execution sources and reduce the impact of injected scripts. 3) Conduct input validation and output encoding at the application layer if source code access is available, or engage with Portabilis for custom patches or updates. 4) Educate users about phishing and suspicious links to reduce the likelihood of successful social engineering exploitation. 5) Monitor web server logs for unusual requests targeting the vulnerable endpoint and implement anomaly detection to identify exploitation attempts. 6) If feasible, isolate the i-Diario application within a segmented network zone to limit lateral movement in case of compromise. 7) Regularly review and update incident response plans to include scenarios involving XSS exploitation and data leakage. These targeted actions will help reduce the attack surface and mitigate the risk until an official patch is released.