CVE-2025-9720 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar software, versions 2.0 through 2.10. The vulnerability resides in an unspecified function within the /module/TabelaArredondamento/edit file, specifically in the component responsible for managing the 'Cadastrar tabela de arredondamento' page. The flaw arises from improper sanitization or validation of the 'Nome' argument, which an attacker can manipulate to inject malicious scripts. This vulnerability can be exploited remotely without authentication, requiring only user interaction to trigger the malicious payload. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but it does require user interaction. The impact primarily affects the integrity and confidentiality of user sessions by enabling script execution in the victim's browser context, potentially leading to session hijacking, defacement, or redirection to malicious sites. Although no known exploits are currently active in the wild, the exploit code is publicly available, increasing the risk of exploitation. The vulnerability does not affect system availability directly and does not require special security capabilities to exploit. No official patches or mitigation links have been provided yet by the vendor.

For European organizations using Portabilis i-Educar, particularly educational institutions and administrative bodies, this vulnerability poses a risk to the confidentiality and integrity of user data and sessions. Exploitation could allow attackers to steal session cookies, perform actions on behalf of legitimate users, or deliver further malware payloads through the victim's browser. This could lead to unauthorized access to sensitive educational records, manipulation of data, or disruption of educational services. Given that i-Educar is an education management system, the exposure of student and staff information could have regulatory and reputational consequences under GDPR and other data protection laws. The medium severity score reflects that while the vulnerability is exploitable remotely and without privileges, it requires user interaction, limiting the scope somewhat. However, the public availability of exploit code increases the urgency for mitigation. The lack of patches means organizations must rely on interim protective measures to reduce risk.

European organizations should implement multiple layers of defense to mitigate this vulnerability. First, apply strict input validation and output encoding on the 'Nome' parameter within the affected module, if source code access and patching are possible. If vendor patches become available, prioritize their deployment. In the interim, deploy web application firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the affected endpoint. Educate users to be cautious about clicking on suspicious links or interacting with untrusted content within the i-Educar platform. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the platform. Monitor logs for unusual activity related to the /module/TabelaArredondamento/edit endpoint. Additionally, restrict access to the affected module to trusted users and networks where feasible, and consider isolating the application environment to limit lateral movement in case of compromise. Regularly review and update security configurations and conduct penetration testing focused on XSS vulnerabilities.