CVE-2025-9721 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar platform, specifically affecting versions 2.0 through 2.10. The vulnerability resides in an unspecified function within the /module/FormulaMedia/edit file, where improper handling of the 'nome' or 'formulaMedia' arguments allows an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious payload. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but it requires user interaction. The impact primarily affects the confidentiality and integrity of the affected system, with limited impact on availability. Exploitation could allow attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the i-Educar platform. Although no known exploits are currently observed in the wild, a proof-of-concept exploit has been published, increasing the risk of future attacks. The vulnerability is particularly concerning for educational institutions using i-Educar, as it may compromise sensitive student and staff data or disrupt educational operations.

For European organizations, especially educational institutions and administrative bodies using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to sensitive educational data and user credentials. Successful exploitation could lead to session hijacking, data leakage, or manipulation of educational records, undermining trust and compliance with data protection regulations such as GDPR. The remote exploitability without authentication increases the attack surface, particularly in environments where i-Educar is accessible over the internet. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger the attack, potentially targeting staff or students. Disruption or compromise of educational platforms can have cascading effects on educational continuity and institutional reputation. Given the medium severity, the threat is moderate but should not be underestimated due to the sensitive nature of educational data and the potential for lateral movement within organizational networks.

Organizations should prioritize updating Portabilis i-Educar to a patched version once available, as no patch links are currently provided. In the interim, implement strict input validation and output encoding on the affected parameters ('nome' and 'formulaMedia') to neutralize malicious scripts. Employ web application firewalls (WAFs) configured to detect and block XSS payloads targeting the vulnerable endpoints. Educate users, particularly staff and students, about the risks of phishing and suspicious links to reduce the likelihood of user interaction triggering the exploit. Restrict access to the i-Educar platform to trusted networks or via VPN to limit exposure. Conduct regular security assessments and monitor logs for unusual activity related to the FormulaMedia module. Additionally, implement Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks by restricting the execution of unauthorized scripts.