CVE-2025-10606
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the Portabilis i-Educar web application via the 'tipoacao' parameter in the ConfiguracaoMovimentoGeral module. When exploited, this reflected cross-site scripting (XSS) attack can steal user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users. All users of i-Educar up to version 2.10 are affected.
💻 Affected Systems
- Portabilis i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over administrative accounts, manipulate student records, or redirect users to phishing sites that capture sensitive information.
Likely Case
Attackers will typically use this to steal session cookies from authenticated users, allowing them to impersonate those users and perform unauthorized actions within the application.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized, preventing any client-side execution and maintaining application security.
🎯 Exploit Status
The exploit is publicly available and requires minimal technical skill to execute. Remote exploitation is possible without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.11 or later
Vendor Advisory: https://github.com/portabilis/i-educar/releases
Restart Required: No
Instructions:
1. Backup your current i-Educar installation and database. 2. Download the latest version from the official GitHub repository. 3. Replace the affected files with the patched versions. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the 'tipoacao' parameter before processing.
Implement input validation in /module/Configuracao/ConfiguracaoMovimentoGeral.php to filter script tags and special characters
Web Application Firewall (WAF)
allConfigure WAF rules to block requests containing XSS payloads in the tipoacao parameter.
Add WAF rule: Block requests with tipoacao parameter containing <script>, javascript:, or other XSS indicators
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Test the endpoint /module/Configuracao/ConfiguracaoMovimentoGeral with tipoacao parameter containing a simple XSS payload like <script>alert('test')</script> and check if it executes in the browser.Check Version:
Check the version in the application's configuration files or admin interface, typically in config/version.php or similar location.Verify Fix Applied:
After patching, repeat the vulnerability test with the same XSS payload. The script should not execute and should be properly encoded in the output.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /module/Configuracao/ConfiguracaoMovimentoGeral with tipoacao parameter containing script tags, javascript:, or other XSS indicators
- Unusual parameter values in tipoacao field
Network Indicators:
- HTTP requests with suspicious payloads in query parameters
- Multiple requests to the vulnerable endpoint from single IPs
SIEM Query:
source="web_server_logs" AND uri="/module/Configuracao/ConfiguracaoMovimentoGeral" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:" OR query CONTAINS "onerror=" OR query CONTAINS "onload=")🔗 References
- https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10606.md
- https://github.com/marcelomulder/CVE/blob/main/i-educar/Cross-Site%20Scripting%20(XSS)%20Reflected%20endpoint%20%60.module.Configuracao.ConfiguracaoMovimentoGeral%60%20parameter%20%60tipoacao%60.md
- https://vuldb.com/?ctiid.324626
- https://vuldb.com/?id.324626
- https://vuldb.com/?submit.649874
