CVE-2025-9721 is a cross-site scripting vulnerability identified in Portabilis i-Educar, an open-source educational management system widely used in some regions. The vulnerability resides in an unspecified function within the /module/FormulaMedia/edit file, where the parameters 'nome' or 'formulaMedia' are improperly sanitized. This allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser when they interact with crafted input or URLs. The vulnerability can be triggered remotely without authentication, but requires user interaction, such as clicking a malicious link or visiting a compromised page. The CVSS 4.0 score of 5.1 reflects a medium severity, considering the ease of exploitation (network attack vector, low attack complexity), no privileges required, but user interaction needed. The impact primarily affects confidentiality and integrity by enabling theft of session cookies, defacement, or redirection to malicious sites. No known active exploitation has been reported, but proof-of-concept code is publicly available, increasing the risk of future attacks. The vulnerability affects all versions up to 2.10, necessitating patching or mitigation. Given i-Educar's role in managing sensitive educational data, exploitation could disrupt operations or lead to data breaches.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses risks to the confidentiality and integrity of user data, including student records and administrative information. Successful exploitation could allow attackers to hijack user sessions, steal credentials, or perform unauthorized actions within the application. This could lead to data breaches, reputational damage, and potential regulatory penalties under GDPR due to exposure of personal data. Additionally, attackers could use the vulnerability to deliver further malware or phishing attacks targeting staff and students. The medium severity indicates moderate risk, but the presence of publicly available exploits increases urgency. Disruption of educational services could also impact operational continuity. Organizations relying on i-Educar should assess their exposure and implement mitigations promptly to avoid exploitation.

1. Apply official patches or updates from Portabilis as soon as they become available to address the vulnerability directly. 2. Implement strict input validation and output encoding on the affected parameters ('nome' and 'formulaMedia') to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application. 4. Conduct security awareness training for users to recognize and avoid clicking suspicious links or interacting with untrusted content. 5. Monitor web application logs for unusual requests targeting the /module/FormulaMedia/edit endpoint and anomalous parameter values. 6. Use web application firewalls (WAF) with custom rules to detect and block XSS attack patterns targeting this vulnerability. 7. Regularly audit and test the application for XSS and other injection flaws to proactively identify and remediate weaknesses. 8. Limit user privileges within the application to minimize the impact of potential session hijacking or unauthorized actions.