Platform
php
Fixed in
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Educar versions 2.0 through 2.10. This flaw resides within the /intranet/educarfuncaocad.php file, specifically affecting the handling of the abreviatura/tipoacao argument. Successful exploitation allows an attacker to execute malicious scripts remotely, potentially compromising user sessions and data integrity. The vulnerability has been publicly disclosed and a proof-of-concept exploit is available.
The primary impact of this XSS vulnerability is the potential for an attacker to inject malicious JavaScript code into the i-Educar application. This code can then be executed in the context of a user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to phishing sites, or deface the application's interface. Given that i-Educar is often used in educational institutions, the potential for compromising student or staff accounts is a significant concern. The availability of a public exploit increases the likelihood of widespread exploitation, particularly if systems are not promptly patched.
This vulnerability is considered LOW severity based on the CVSS score. However, the public availability of a proof-of-concept exploit significantly elevates the risk. While not currently listed on CISA KEV, the ease of exploitation warrants close monitoring. The vulnerability's impact is amplified by the common deployment of i-Educar in environments with sensitive user data.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The recommended mitigation for CVE-2025-10591 is to immediately upgrade to i-Educar version 2.10.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation on the abreviatura/tipoacao parameter within the /intranet/educarfuncaocad.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a layer of protection. Regularly review i-Educar's security advisories for further guidance.
Update i-Educar to a version later than 2.9 to fix the XSS vulnerability. If updating is not possible, review and filter the inputs of the 'abreviatura' and 'tipoacao' fields in the file /intranet/educar_funcao_cad.php to prevent the injection of malicious code. Implement data validation and sanitization on the server-side to prevent XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10591 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10, allowing attackers to inject malicious scripts.
You are affected if you are using i-Educar versions 2.0 through 2.10. Upgrade to 2.10.1 or later to mitigate the risk.
Upgrade to i-Educar version 2.10.1 or later. As a temporary workaround, implement strict input validation on the abreviatura/tipoacao parameter.
A public proof-of-concept exploit is available, increasing the likelihood of active exploitation.
Refer to the Portabilis security advisories page for the latest information and updates regarding CVE-2025-10591.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.