CVE-2025-10605
📋 TL;DR
This vulnerability is a reflected cross-site scripting (XSS) flaw in Portabilis i-Educar's agenda_preferencias.php file, where the tipoacao parameter is not properly sanitized. Attackers can inject malicious scripts that execute in users' browsers when they visit a crafted URL. All users of i-Educar up to version 2.10 are affected.
💻 Affected Systems
- Portabilis i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware through the application.
Likely Case
Attackers craft phishing links to steal user credentials or session tokens from authenticated users who click malicious links.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers.
🎯 Exploit Status
Exploit details are publicly available in GitHub repositories, making this easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11 or later
Vendor Advisory: https://github.com/portabilis/i-educar/releases
Restart Required: No
Instructions:
1. Backup your current installation. 2. Upgrade to i-Educar version 2.11 or later. 3. Verify the fix by testing the agenda_preferencias.php endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize the tipoacao parameter before processing.
Modify agenda_preferencias.php to validate tipoacao against allowed values using PHP filter functions.
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious requests.
Configure WAF to detect and block XSS patterns in tipoacao parameter.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution.
- Disable or restrict access to the agenda_preferencias.php endpoint if not needed.
🔍 How to Verify
Check if Vulnerable:
Test by accessing agenda_preferencias.php with a crafted tipoacao parameter containing script tags and checking if they execute.Check Version:
Check the i-Educar version in the application's admin panel or configuration files.Verify Fix Applied:
After patching, test the same payload to ensure scripts are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to agenda_preferencias.php with suspicious tipoacao values containing script tags or JavaScript code.
Network Indicators:
- Unusual traffic patterns to the vulnerable endpoint with encoded payloads.
SIEM Query:
source="web_server" AND uri="/agenda_preferencias.php" AND (param="tipoacao" AND value CONTAINS "<script>" OR "javascript:")🔗 References
- https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10605.md
- https://github.com/marcelomulder/CVE/blob/main/i-educar/Cross-Site%20Scripting%20(XSS)%20Reflected%20endpoint%20%60agenda_preferencias.php%60%20parameter%20%60tipoacao%60.md
- https://vuldb.com/?ctiid.324625
- https://vuldb.com/?id.324625
- https://vuldb.com/?submit.649872
- https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10605.md
- https://vuldb.com/?submit.649872
