CVE-2025-9723 identifies a cross-site scripting (XSS) vulnerability in the Portabilis i-Educar platform, a widely used open-source educational management system. The flaw exists in the /intranet/educar_tipo_regime_cad.php file, where the nm_tipo parameter is improperly sanitized, allowing an attacker to inject malicious JavaScript code. This vulnerability can be exploited remotely without authentication, requiring only that a victim user interacts with a crafted URL or input. The attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary to trigger the payload. The impact primarily affects confidentiality and integrity by enabling attackers to execute scripts in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or phishing attacks. The vulnerability does not affect availability and has no scope change. The CVSS 4.0 base score of 5.1 reflects these characteristics. Although no active exploitation has been reported, public proof-of-concept exploit code is available, increasing the risk of future attacks. The vulnerability affects all i-Educar versions from 2.0 through 2.10, necessitating urgent attention from administrators. Given the platform’s use in educational institutions, the threat could disrupt user trust and data privacy within school management systems.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses risks of unauthorized script execution within user sessions. Attackers could leverage this to steal session cookies, impersonate users, or conduct phishing campaigns targeting students, teachers, or administrators. While the direct impact on system availability is minimal, the compromise of user credentials or sensitive educational data could lead to reputational damage, regulatory non-compliance (e.g., GDPR), and potential data breaches. The medium severity score indicates a moderate risk, but the presence of public exploits increases the likelihood of targeted attacks. Organizations relying on i-Educar for managing student records, grades, or administrative functions may face operational disruptions if attackers exploit this vulnerability to manipulate data or gain unauthorized access. The educational sector’s increasing digitalization in Europe makes this a relevant threat, especially in countries with higher adoption of this platform or similar software.

To mitigate CVE-2025-9723, organizations should immediately review and apply any available patches or updates from Portabilis addressing this vulnerability. In the absence of official patches, administrators should implement strict input validation and output encoding on the nm_tipo parameter to neutralize malicious scripts. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in browsers. Restricting access to the /intranet/educar_tipo_regime_cad.php endpoint to trusted users and networks reduces exposure. User awareness training to recognize phishing attempts and suspicious links is critical, given the need for user interaction in exploitation. Regular security audits and web application firewall (WAF) rules tailored to detect and block XSS payloads targeting this parameter can provide additional defense layers. Monitoring logs for unusual requests to the affected endpoint can help detect exploitation attempts early. Finally, organizations should consider isolating critical educational management systems from public internet access where feasible.