CVE-2025-9724 is a cross-site scripting (XSS) vulnerability identified in the Portabilis i-Educar software, specifically affecting versions up to 2.10. The vulnerability resides in an unspecified function within the file /intranet/educar_nivel_ensino_cad.php, where improper handling of the input parameters nm_nivel or descricao allows an attacker to inject malicious scripts. This vulnerability can be exploited remotely without authentication, requiring only user interaction to trigger the malicious payload. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L, which indicates low privileges but not none), and user interaction needed (UI:P). The vulnerability impacts confidentiality and integrity to a limited extent (VC:N, VI:L), with no impact on availability. Although no known exploits are currently in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The vulnerability could allow attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. Given that i-Educar is an educational management system, exploitation could compromise sensitive educational data or disrupt administrative functions.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized script execution that could lead to data leakage, session hijacking, or phishing attacks targeting students, staff, or administrators. The impact on confidentiality is moderate due to potential exposure of session tokens or personal data. Integrity could be affected if attackers manipulate displayed content or input data. Availability impact is minimal. Since the vulnerability requires user interaction, the risk is somewhat mitigated but remains significant in environments where users may be less security-aware, such as schools. Exploitation could undermine trust in educational platforms and lead to regulatory compliance issues under GDPR if personal data is compromised. Additionally, the remote exploitability increases the attack surface, especially if the affected systems are accessible over the internet or poorly segmented internal networks.

Specific mitigation steps include: 1) Immediate application of patches or updates from Portabilis once available; since no patch links are currently provided, organizations should monitor vendor advisories closely. 2) Implement strict input validation and output encoding on the affected parameters (nm_nivel and descricao) to neutralize malicious scripts. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing i-Educar. 4) Conduct user awareness training focusing on recognizing phishing and suspicious links to reduce the risk of user interaction exploitation. 5) Restrict access to the intranet portion of i-Educar (where the vulnerable script resides) through network segmentation and VPNs to limit exposure. 6) Monitor web server logs for unusual parameter values or repeated attempts to exploit the vulnerability. 7) Consider implementing web application firewalls (WAF) with rules targeting XSS payloads specific to the vulnerable parameters. These measures collectively reduce the risk until a vendor patch is applied.