Plateforme
php
Corrigé dans
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Educar versions 2.0 through 2.10. This flaw resides within the /intranet/educarfuncaocad.php file, specifically affecting the handling of the abreviatura/tipoacao argument. Successful exploitation allows an attacker to execute malicious scripts remotely, potentially compromising user sessions and data integrity. The vulnerability has been publicly disclosed and a proof-of-concept exploit is available.
The primary impact of this XSS vulnerability is the potential for an attacker to inject malicious JavaScript code into the i-Educar application. This code can then be executed in the context of a user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to phishing sites, or deface the application's interface. Given that i-Educar is often used in educational institutions, the potential for compromising student or staff accounts is a significant concern. The availability of a public exploit increases the likelihood of widespread exploitation, particularly if systems are not promptly patched.
This vulnerability is considered LOW severity based on the CVSS score. However, the public availability of a proof-of-concept exploit significantly elevates the risk. While not currently listed on CISA KEV, the ease of exploitation warrants close monitoring. The vulnerability's impact is amplified by the common deployment of i-Educar in environments with sensitive user data.
Educational institutions and organizations utilizing Portabilis i-Educar for student management are particularly at risk. Systems running older, unpatched versions (2.0-2.10) are most vulnerable. Shared hosting environments where multiple i-Educar instances reside on the same server could also experience cross-contamination if one instance is compromised.
• php: Examine access logs for requests to /intranet/educarfuncaocad.php with unusual or suspicious values in the abbreviatura/tipoacao parameter. Look for patterns indicative of JavaScript injection (e.g., <script>, javascript:, onerror=).
grep -i 'abbreviatura/tipoacao=[^a-zA-Z0-9]' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.02% (percentile 6%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2025-10591 is to immediately upgrade to i-Educar version 2.10.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation on the abreviatura/tipoacao parameter within the /intranet/educarfuncaocad.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a layer of protection. Regularly review i-Educar's security advisories for further guidance.
Actualice i-Educar a una versión posterior a la 2.9 para corregir la vulnerabilidad XSS. Si no es posible actualizar, revise y filtre las entradas de los campos 'abreviatura' y 'tipoacao' en el archivo /intranet/educar_funcao_cad.php para evitar la inyección de código malicioso. Implemente validación y sanitización de datos en el lado del servidor para prevenir ataques XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-10591 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Educar versions 2.0 through 2.10, allowing attackers to inject malicious scripts.
You are affected if you are using i-Educar versions 2.0 through 2.10. Upgrade to 2.10.1 or later to mitigate the risk.
Upgrade to i-Educar version 2.10.1 or later. As a temporary workaround, implement strict input validation on the abreviatura/tipoacao parameter.
A public proof-of-concept exploit is available, increasing the likelihood of active exploitation.
Refer to the Portabilis security advisories page for the latest information and updates regarding CVE-2025-10591.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.