CVE-2025-9723 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar software, specifically affecting versions up to 2.10. The vulnerability resides in an unspecified function within the file /intranet/educar_tipo_regime_cad.php. The issue arises when the argument 'nm_tipo' is manipulated, allowing an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious payload. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and user interaction needed (UI:P). The vulnerability impacts the integrity of the application by allowing script injection, which can lead to session hijacking, defacement, or redirection to malicious sites. No known exploits are currently reported in the wild, but a public exploit has been made available, increasing the risk of exploitation. The vulnerability does not affect confidentiality or availability directly, but the injected scripts can be leveraged for further attacks against users or the system.

For European organizations using Portabilis i-Educar, particularly educational institutions, this vulnerability poses a risk of client-side attacks that could compromise user sessions, steal credentials, or deliver malware. Since i-Educar is an education management system, exploitation could disrupt administrative processes or expose sensitive student and staff data indirectly through session hijacking or phishing. The remote exploitability without authentication increases the threat surface, especially in environments where the intranet portal is accessible externally or insufficiently segmented. The medium severity suggests moderate risk, but the presence of a public exploit elevates urgency for mitigation. Organizations in Europe relying on this software for school management could face reputational damage, regulatory scrutiny under GDPR if personal data is compromised, and operational disruptions.

To mitigate CVE-2025-9723, organizations should prioritize applying patches or updates from Portabilis as soon as they become available. In the absence of official patches, implement input validation and output encoding on the 'nm_tipo' parameter to neutralize malicious scripts. Employ web application firewalls (WAFs) configured to detect and block XSS payloads targeting the affected endpoint. Restrict access to the intranet portal hosting i-Educar to trusted networks and enforce strict segmentation to limit exposure. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the portal. Regularly audit logs for unusual activity indicative of exploitation attempts. Additionally, implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.