CVE-2025-9720 identifies a cross-site scripting (XSS) vulnerability in the Portabilis i-Educar platform, a widely used educational management system. The vulnerability resides in the /module/TabelaArredondamento/edit page, specifically in the processing of the 'Nome' parameter within the 'Cadastrar tabela de arredondamento' component. Improper sanitization or encoding of this input allows an attacker to inject arbitrary JavaScript code, which executes in the context of the victim's browser when they visit the affected page. The attack vector is remote and does not require prior authentication, but user interaction is necessary to trigger the malicious script, such as clicking a crafted link or viewing a manipulated page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, meaning low privileges but not none), user interaction required (UI:P), and partial impact on integrity and confidentiality (VI:L, VC:N). The vulnerability does not affect availability or system control. While no known exploits are currently active in the wild, a public exploit exists, increasing the risk of exploitation. The vulnerability affects all versions up to 2.10, indicating a broad scope within the i-Educar user base. The lack of official patches at the time of publication necessitates immediate mitigation efforts by administrators.

For European organizations, especially educational institutions using Portabilis i-Educar, this vulnerability could lead to unauthorized script execution within user browsers, potentially resulting in session hijacking, credential theft, or defacement of the web interface. Although the impact on system integrity and availability is limited, the confidentiality of user data and trust in the platform could be compromised. Attackers could leverage this vulnerability to conduct phishing or social engineering campaigns targeting staff or students. Given the remote exploitability and public availability of exploit code, the risk of exploitation is tangible. The medium severity reflects the balance between ease of attack and limited scope of damage, but the educational sector's sensitivity to data privacy and operational continuity elevates the concern. Organizations failing to address this vulnerability may face reputational damage and regulatory scrutiny under GDPR if personal data is exposed.

Administrators should immediately implement input validation and output encoding on the 'Nome' parameter within the affected module to prevent script injection. Employing a web application firewall (WAF) with rules targeting XSS payloads can provide a temporary protective layer until official patches are released. Restrict user input length and allowed characters to minimize injection vectors. Educate users to avoid clicking suspicious links and report unusual behavior. Regularly monitor logs for anomalous requests targeting the vulnerable endpoint. If possible, isolate or restrict access to the affected module to trusted users only. Coordinate with Portabilis for timely patch deployment once available. Additionally, implement Content Security Policy (CSP) headers to reduce the impact of any injected scripts. Conduct security awareness training focused on phishing and XSS risks for staff and students.