CVE-2025-8369
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in Portabilis i-Educar 2.9 that allows attackers to inject malicious scripts via the 'titulo_avaliacao' parameter in the /intranet/educar_avaliacao_desempenho_lst.php file. The vulnerability affects all users of i-Educar 2.9 who access the vulnerable page, potentially allowing session hijacking, credential theft, or defacement.
💻 Affected Systems
- Portabilis i-Educar
📦 What is this software?
I Educar by Portabilis
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect users to malicious sites, or deface the application interface.
Likely Case
Attackers craft malicious links containing XSS payloads that execute when victims click them, potentially stealing session cookies or performing actions as the victim.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
The exploit requires user interaction (clicking a malicious link) but is trivial to craft. Public proof-of-concept code is available in the referenced GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch is available. The vendor did not respond to disclosure. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement proper input validation for the 'titulo_avaliacao' parameter and ensure all user input is properly encoded before output.
Modify /intranet/educar_avaliacao_desempenho_lst.php to sanitize the titulo_avaliacao parameter using htmlspecialchars() or similar functions
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block XSS payloads in the titulo_avaliacao parameter.
Add WAF rule: Block requests containing <script>, javascript:, or other XSS patterns in the titulo_avaliacao parameter
🧯 If You Can't Patch
- Restrict access to the vulnerable endpoint using network controls or authentication requirements
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Access /intranet/educar_avaliacao_desempenho_lst.php?titulo_avaliacao=<script>alert('XSS')</script> and check if the script executesCheck Version:
Check i-Educar version in application configuration or about pageVerify Fix Applied:
After implementing fixes, test the same payload to ensure it's properly sanitized and doesn't execute📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /intranet/educar_avaliacao_desempenho_lst.php with script tags or XSS patterns in parameters
- Unusual parameter values containing JavaScript code
Network Indicators:
- HTTP GET requests with suspicious parameters containing <script>, javascript:, or encoded payloads
SIEM Query:
source="web_logs" AND uri="/intranet/educar_avaliacao_desempenho_lst.php" AND (param="titulo_avaliacao" AND value MATCHES "(?i)(<script|javascript:|on\w+=)")