CVE-2025-9638 identifies a stored Cross-Site Scripting (XSS) vulnerability in Portabilis i-Educar version 2.10.0, a software platform used for educational management. The vulnerability arises from improper neutralization of input in the matricula_interna parameter within the educar_usuario_cad.php endpoint. Specifically, the application fails to adequately sanitize or encode user-supplied input before embedding it into web pages, allowing an attacker to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected pages. The vulnerability is classified under CWE-79, which covers improper input neutralization during web page generation. The CVSS 4.8 score reflects a medium severity level, influenced by the fact that exploitation requires the attacker to have high privileges (PR:H) and user interaction (UI:P), but no authentication bypass or complex conditions are needed. The attack vector is network-based (AV:N), and the scope is limited (SC:L), meaning the vulnerability affects only the vulnerable component without impacting other components. Although no known exploits are currently reported in the wild, the presence of stored XSS can enable attackers to perform session hijacking, defacement, or phishing attacks by executing arbitrary scripts in the context of authenticated users. This can compromise confidentiality and integrity of user data and potentially lead to further exploitation within the affected environment. The vulnerability affects only version 2.10.0 of i-Educar, and no official patches have been linked yet, indicating that remediation may require vendor intervention or custom mitigations. The vulnerability is particularly relevant to educational institutions using i-Educar for managing student and user data, as attackers could leverage the flaw to target students, teachers, or administrators.

For European organizations, especially educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized script execution within user sessions. The stored XSS can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users, undermining confidentiality and integrity of sensitive educational data. While availability is not directly impacted, successful exploitation could disrupt user trust and lead to reputational damage. The requirement for high privileges to exploit limits the attack surface but does not eliminate risk, as insider threats or compromised accounts could be leveraged. Given the widespread use of web-based educational platforms in Europe, exploitation could affect student records, personal information, and administrative functions. The lack of known exploits in the wild reduces immediate risk but does not preclude future attacks. Countries with higher adoption of i-Educar or similar platforms, and those with strategic emphasis on digital education infrastructure, may face greater exposure. The vulnerability could also be leveraged in targeted phishing campaigns against educational staff and students, amplifying its impact.

Organizations should immediately audit their use of Portabilis i-Educar version 2.10.0 and restrict access to the educar_usuario_cad.php endpoint to trusted, authenticated users with minimal privileges. Implement strict input validation and output encoding on the matricula_interna parameter to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor logs for suspicious activity related to this endpoint and user input. Since no official patch is currently available, consider deploying Web Application Firewalls (WAF) with custom rules to detect and block XSS payloads targeting this parameter. Educate users about phishing risks and encourage cautious behavior regarding unexpected links or inputs. Coordinate with the vendor Portabilis for timely updates and patches. Regularly update and test backup and recovery procedures to mitigate potential impacts of exploitation. Finally, conduct security awareness training for administrators and users to recognize and report suspicious behavior.