Plataforma
php
Corrigido em
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
CVE-2025-9106 describes a cross-site scripting (XSS) vulnerability discovered in Portabilis i-Diario versions 1.0 through 1.5.0. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. A fix is available in version 1.5.1, and the vulnerability details have been publicly disclosed.
The XSS vulnerability in i-Diario allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the application's interface. Given the nature of i-Diario as a potentially sensitive educational management system, successful exploitation could expose student data, instructor information, and curriculum details. The public availability of an exploit significantly increases the risk of widespread attacks targeting vulnerable installations.
The vulnerability details and a proof-of-concept exploit have been publicly disclosed, indicating a heightened risk of exploitation. The CVSS score of 3.5 (LOW) suggests that while the vulnerability exists, the attack conditions may be somewhat limited or require specific user interaction. It is not currently listed on CISA KEV, but the public exploit warrants close monitoring.
Educational institutions and organizations utilizing Portabilis i-Diario for managing educational plans and curriculum are at risk. Specifically, installations running versions 1.0 through 1.5.0 are vulnerable. Shared hosting environments where multiple i-Diario instances reside on the same server are particularly susceptible due to the potential for cross-site contamination.
• wordpress / composer / npm:
grep -r "Parecer/Conteúdos/Objetivos" /var/www/i-diario/• generic web:
curl -I http://your-i-diario-instance.com/planos-de-ensino-por-disciplina/ | grep -i "<script"disclosure
poc
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-9106 is to upgrade to Portabilis i-Diario version 1.5.1 or later. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the /planos-de-ensino-por-disciplina/ page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Atualize o i-Diario para uma versão posterior a 1.5.0 que corrija a vulnerabilidade XSS (Cross-Site Scripting). Se nenhuma versão estiver disponível, revise e filtre as entradas dos campos 'Parecer', 'Conteúdos' e 'Objetivos' no arquivo /planos-de-ensino-por-disciplina/ para evitar a injeção de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-9106 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Diario versions 1.0 through 1.5.0, allowing attackers to inject malicious scripts.
You are affected if you are using Portabilis i-Diario versions 1.0, 1.1, 1.2, 1.3, 1.4, or 1.5.0. Upgrade is required.
Upgrade to Portabilis i-Diario version 1.5.1 or later to resolve the vulnerability. Consider temporary WAF rules as an interim measure.
A public proof-of-concept exploit exists, indicating a potential for active exploitation. Monitor your systems closely.
Refer to the Portabilis security advisories on their official website for the latest information and updates regarding CVE-2025-9106.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.