Portabilis i-Diario अतिरिक्त जानकारी /planos-de-aulas-por-disciplina क्रॉस साइट स्क्रिप्टिंग
प्लेटफ़ॉर्म
php
में ठीक किया गया
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Diario versions 1.0 to 1.5.0. This flaw resides within the Informações Adicionais Page component, specifically in an unknown function related to the /planos-de-aulas-por-disciplina/ file. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to session hijacking or defacement. A fix is available in version 1.5.1.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The XSS vulnerability in i-Diario allows an attacker to inject malicious scripts into web pages viewed by other users. This can be exploited to steal user credentials, redirect users to phishing sites, or deface the application. The attacker could potentially gain access to sensitive data stored within the i-Diario system, depending on the user's privileges and the application's functionality. Given the published proof-of-concept, the risk of exploitation is elevated, particularly for systems that haven't been patched.
शोषण संदर्भअनुवाद हो रहा है…
A proof-of-concept (PoC) for CVE-2025-9104 has been publicly released, indicating a relatively high probability of exploitation. The vulnerability was disclosed on 2025-08-18. The vendor was contacted but did not respond. This lack of vendor engagement increases the risk of exploitation as it suggests a potential delay in further security updates or support.
कौन जोखिम में हैअनुवाद हो रहा है…
Organizations using Portabilis i-Diario for educational planning and curriculum management are at risk, particularly those relying on older, unpatched versions (1.0 - 1.5.0). Shared hosting environments where multiple i-Diario instances are deployed on a single server are also at increased risk, as a successful exploit on one instance could potentially impact others.
पहचान के चरणअनुवाद हो रहा है…
• generic web: Use curl to test the /planos-de-aulas-por-disciplina/ endpoint with various payloads containing <script> tags or event handlers (e.g., onload).
curl -X POST '/planos-de-aulas-por-disciplina/' -d 'Parecer/Objeto de Conhecimento/Habilidades=<script>alert("XSS")</script>'• generic web: Examine access and error logs for suspicious requests containing XSS payloads or unusual characters in the Parecer/Objeto de Conhecimento/Habilidades parameter.
• php: Review the source code of the /planos-de-aulas-por-disciplina/ file for inadequate input validation or output encoding of the Parecer/Objeto de Conhecimento/Habilidades parameter. Look for functions like htmlspecialchars or strip_tags that are not being used correctly.
हमले की समयरेखा
- Disclosure
disclosure
- PoC
poc
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.04% (11% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- निम्न — कोई भी वैध उपयोगकर्ता खाता पर्याप्त है।
- User Interaction
- आवश्यक — पीड़ित को फ़ाइल खोलनी, लिंक पर क्लिक करना या पेज पर जाना होगा।
- Scope
- अपरिवर्तित — प्रभाव केवल कमज़ोर घटक तक सीमित।
- Confidentiality
- कोई नहीं — गोपनीयता पर कोई प्रभाव नहीं।
- Integrity
- निम्न — हमलावर सीमित दायरे में कुछ डेटा बदल सकता है।
- Availability
- कोई नहीं — उपलब्धता पर कोई प्रभाव नहीं।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2025-9104 is to upgrade to Portabilis i-Diario version 1.5.1 or later. If immediate upgrading is not possible, consider implementing input validation and output encoding on the affected parameter (Parecer/Objeto de Conhecimento/Habilidades) to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update your WAF rules to ensure they are effective against emerging XSS techniques.
कैसे ठीक करें
XSS भेद्यता को ठीक करने के लिए i-Diario को 1.5.0 से बाद के संस्करण में अपडेट करें, यदि उपलब्ध हो, तो। यदि कोई संस्करण उपलब्ध नहीं है, तो समाधान प्रकाशित होने तक 'अतिरिक्त जानकारी पृष्ठ' (Informações Adicionais Page) घटक को अक्षम या हटाने पर विचार करें। दुर्भावनापूर्ण कोड इंजेक्शन से बचने के लिए 'Parecer/Objeto de Conhecimento/Habilidades' फ़ील्ड में उपयोगकर्ता इनपुट की समीक्षा और मान्य करें।
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2025-9104 — XSS in Portabilis i-Diario?
CVE-2025-9104 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Diario versions 1.0 through 1.5.0, allowing attackers to inject malicious scripts.
Am I affected by CVE-2025-9104 in Portabilis i-Diario?
If you are using Portabilis i-Diario versions 1.0, 1.1, 1.2, 1.3, 1.4, or 1.5.0, you are potentially affected by this vulnerability.
How do I fix CVE-2025-9104 in Portabilis i-Diario?
Upgrade to Portabilis i-Diario version 1.5.1 or later to resolve this XSS vulnerability. Consider input validation and WAF rules as temporary mitigations.
Is CVE-2025-9104 being actively exploited?
A proof-of-concept has been publicly released, indicating a high probability of exploitation and potential active campaigns.
Where can I find the official Portabilis advisory for CVE-2025-9104?
Please refer to the Portabilis security advisories page for updates and official information regarding CVE-2025-9104.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।