Platform
php
Opgelost in
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Diario versions 1.0 to 1.5.0. This flaw resides within the Informações Adicionais Page component, specifically in an unknown function related to the /planos-de-aulas-por-disciplina/ file. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to session hijacking or defacement. A fix is available in version 1.5.1.
The XSS vulnerability in i-Diario allows an attacker to inject malicious scripts into web pages viewed by other users. This can be exploited to steal user credentials, redirect users to phishing sites, or deface the application. The attacker could potentially gain access to sensitive data stored within the i-Diario system, depending on the user's privileges and the application's functionality. Given the published proof-of-concept, the risk of exploitation is elevated, particularly for systems that haven't been patched.
A proof-of-concept (PoC) for CVE-2025-9104 has been publicly released, indicating a relatively high probability of exploitation. The vulnerability was disclosed on 2025-08-18. The vendor was contacted but did not respond. This lack of vendor engagement increases the risk of exploitation as it suggests a potential delay in further security updates or support.
Organizations using Portabilis i-Diario for educational planning and curriculum management are at risk, particularly those relying on older, unpatched versions (1.0 - 1.5.0). Shared hosting environments where multiple i-Diario instances are deployed on a single server are also at increased risk, as a successful exploit on one instance could potentially impact others.
• generic web: Use curl to test the /planos-de-aulas-por-disciplina/ endpoint with various payloads containing <script> tags or event handlers (e.g., onload).
curl -X POST '/planos-de-aulas-por-disciplina/' -d 'Parecer/Objeto de Conhecimento/Habilidades=<script>alert("XSS")</script>'• generic web: Examine access and error logs for suspicious requests containing XSS payloads or unusual characters in the Parecer/Objeto de Conhecimento/Habilidades parameter.
• php: Review the source code of the /planos-de-aulas-por-disciplina/ file for inadequate input validation or output encoding of the Parecer/Objeto de Conhecimento/Habilidades parameter. Look for functions like htmlspecialchars or strip_tags that are not being used correctly.
disclosure
poc
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-9104 is to upgrade to Portabilis i-Diario version 1.5.1 or later. If immediate upgrading is not possible, consider implementing input validation and output encoding on the affected parameter (Parecer/Objeto de Conhecimento/Habilidades) to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update your WAF rules to ensure they are effective against emerging XSS techniques.
Werk i-Diario bij naar een versie later dan 1.5.0, indien beschikbaar, om de XSS-kwetsbaarheid te verhelpen. Indien er geen versie beschikbaar is, overweeg dan om de component 'Aanvullende Informatie Pagina' uit te schakelen of te verwijderen totdat een oplossing is gepubliceerd. Controleer en valideer de gebruikersinvoer in het veld 'Parecer/Objeto de Conhecimento/Habilidades' om de injectie van kwaadaardige code te voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-9104 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Diario versions 1.0 through 1.5.0, allowing attackers to inject malicious scripts.
If you are using Portabilis i-Diario versions 1.0, 1.1, 1.2, 1.3, 1.4, or 1.5.0, you are potentially affected by this vulnerability.
Upgrade to Portabilis i-Diario version 1.5.1 or later to resolve this XSS vulnerability. Consider input validation and WAF rules as temporary mitigations.
A proof-of-concept has been publicly released, indicating a high probability of exploitation and potential active campaigns.
Please refer to the Portabilis security advisories page for updates and official information regarding CVE-2025-9104.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.