CVE-2025-9653 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar software, specifically affecting versions up to 2.10. The vulnerability resides in the /intranet/educar_projeto_cad.php file within the component responsible for the 'Cadastrar projeto' (Register project) page. The flaw arises due to improper sanitization or validation of user-supplied input in the 'nome' and 'observacao' parameters, which can be manipulated to inject malicious scripts. This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they access a crafted URL or page. The attack can be launched remotely without requiring authentication, although user interaction is necessary to trigger the payload (e.g., by visiting a malicious link). The CVSS 4.0 score is 5.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited impact on confidentiality and integrity. The vulnerability does not affect availability and does not involve scope or authorization changes. While no known exploits are reported in the wild, a public exploit is available, increasing the risk of exploitation. The vulnerability could be leveraged for session hijacking, credential theft, or delivering further malware, especially in environments where i-Educar is used for educational management and contains sensitive student or staff data.

For European organizations using Portabilis i-Educar, particularly educational institutions such as schools, universities, and education departments, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Successful exploitation could allow attackers to steal session cookies, impersonate users, or conduct phishing attacks by injecting malicious scripts into trusted web pages. This could lead to unauthorized access to sensitive educational records, personal information of students and staff, and disruption of administrative processes. Although the vulnerability does not directly impact availability, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. The risk is heightened in environments where users have elevated privileges or where the software is accessible over the internet without adequate network protections.

To mitigate this vulnerability, European organizations should prioritize applying patches or updates from Portabilis as soon as they become available. In the absence of official patches, organizations should implement strict input validation and output encoding on the 'nome' and 'observacao' parameters to neutralize malicious scripts. Web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting these parameters. Additionally, organizations should enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. User awareness training should emphasize caution when clicking on unexpected links, especially those related to the i-Educar platform. Network segmentation and limiting access to the i-Educar intranet interface can reduce exposure. Regular security assessments and monitoring for unusual activity related to the application are also recommended.