Platform
php
Fixed in
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Diario versions 1.0 to 1.5.0. This flaw resides within the Informações Adicionais Page component, specifically in an unknown function related to the /planos-de-aulas-por-disciplina/ file. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to session hijacking or defacement. A fix is available in version 1.5.1.
The XSS vulnerability in i-Diario allows an attacker to inject malicious scripts into web pages viewed by other users. This can be exploited to steal user credentials, redirect users to phishing sites, or deface the application. The attacker could potentially gain access to sensitive data stored within the i-Diario system, depending on the user's privileges and the application's functionality. Given the published proof-of-concept, the risk of exploitation is elevated, particularly for systems that haven't been patched.
A proof-of-concept (PoC) for CVE-2025-9104 has been publicly released, indicating a relatively high probability of exploitation. The vulnerability was disclosed on 2025-08-18. The vendor was contacted but did not respond. This lack of vendor engagement increases the risk of exploitation as it suggests a potential delay in further security updates or support.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
The primary mitigation for CVE-2025-9104 is to upgrade to Portabilis i-Diario version 1.5.1 or later. If immediate upgrading is not possible, consider implementing input validation and output encoding on the affected parameter (Parecer/Objeto de Conhecimento/Habilidades) to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update your WAF rules to ensure they are effective against emerging XSS techniques.
Update i-Diario to a version later than 1.5.0, if available, to fix the XSS vulnerability. If no version is available, consider disabling or removing the 'Additional Information Page' component until a solution is published. Review and validate user inputs in the 'Parecer/Objeto de Conhecimento/Habilidades' field to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9104 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Diario versions 1.0 through 1.5.0, allowing attackers to inject malicious scripts.
If you are using Portabilis i-Diario versions 1.0, 1.1, 1.2, 1.3, 1.4, or 1.5.0, you are potentially affected by this vulnerability.
Upgrade to Portabilis i-Diario version 1.5.1 or later to resolve this XSS vulnerability. Consider input validation and WAF rules as temporary mitigations.
A proof-of-concept has been publicly released, indicating a high probability of exploitation and potential active campaigns.
Please refer to the Portabilis security advisories page for updates and official information regarding CVE-2025-9104.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.