CVE-2025-9722 is a cross-site scripting vulnerability identified in Portabilis i-Educar, a widely used educational management system, affecting all versions up to 2.10. The vulnerability resides in the /intranet/educar_tipo_ocorrencia_disciplinar_cad.php script, specifically in the handling of the nm_tipo/descricao parameter. This parameter is not properly sanitized or encoded before being reflected in the web page, allowing attackers to inject arbitrary JavaScript code. The attack vector is remote and does not require authentication, but successful exploitation depends on user interaction, such as clicking a maliciously crafted URL. The vulnerability can be exploited to execute scripts in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Although no active exploits have been reported in the wild, the public disclosure of the vulnerability and proof-of-concept code increases the risk of exploitation. The CVSS 4.0 base score of 5.1 reflects a medium severity, considering the network attack vector, low complexity, no privileges required, but user interaction needed. The vulnerability impacts confidentiality and integrity but not availability. The lack of vendor patches at the time of disclosure means organizations must implement interim mitigations to reduce risk. This vulnerability highlights the importance of secure input validation and output encoding in web applications, especially those handling sensitive educational data.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk to the confidentiality and integrity of user data, including student and staff information. Exploitation could lead to session hijacking, unauthorized data access, or manipulation of educational records. This undermines trust in the educational platform and could result in regulatory non-compliance under GDPR due to potential data breaches. The impact extends to reputational damage and operational disruption if attackers leverage the vulnerability for phishing or spreading malware. Since the vulnerability requires user interaction, social engineering campaigns could be targeted at staff or students. The medium severity indicates a moderate risk, but the widespread use of i-Educar in certain regions elevates the potential impact. Organizations failing to address this vulnerability may face increased exposure to cyberattacks, data leakage, and compliance penalties.

1. Immediately restrict access to the /intranet/educar_tipo_ocorrencia_disciplinar_cad.php page to trusted users only, using network segmentation or access control lists. 2. Implement strict input validation on the nm_tipo/descricao parameter to allow only expected characters and lengths. 3. Apply proper output encoding (e.g., HTML entity encoding) before reflecting user input in web pages to prevent script execution. 4. Educate users about the risks of clicking unknown or suspicious links to reduce successful social engineering exploitation. 5. Monitor web server logs for unusual requests targeting the vulnerable parameter to detect potential exploitation attempts. 6. Engage with Portabilis for official patches or updates and prioritize timely application once available. 7. Consider deploying Web Application Firewalls (WAFs) with custom rules to block malicious payloads targeting this vulnerability. 8. Conduct regular security assessments and code reviews to identify and remediate similar input validation issues proactively.