平台
php
修复版本
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
A cross-site scripting (XSS) vulnerability has been identified in Portabilis i-Diario versions 1.0 to 1.5.0. This flaw resides within the Informações Adicionais Page component, specifically in an unknown function related to the /planos-de-aulas-por-disciplina/ file. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to session hijacking or defacement. A fix is available in version 1.5.1.
The XSS vulnerability in i-Diario allows an attacker to inject malicious scripts into web pages viewed by other users. This can be exploited to steal user credentials, redirect users to phishing sites, or deface the application. The attacker could potentially gain access to sensitive data stored within the i-Diario system, depending on the user's privileges and the application's functionality. Given the published proof-of-concept, the risk of exploitation is elevated, particularly for systems that haven't been patched.
A proof-of-concept (PoC) for CVE-2025-9104 has been publicly released, indicating a relatively high probability of exploitation. The vulnerability was disclosed on 2025-08-18. The vendor was contacted but did not respond. This lack of vendor engagement increases the risk of exploitation as it suggests a potential delay in further security updates or support.
Organizations using Portabilis i-Diario for educational planning and curriculum management are at risk, particularly those relying on older, unpatched versions (1.0 - 1.5.0). Shared hosting environments where multiple i-Diario instances are deployed on a single server are also at increased risk, as a successful exploit on one instance could potentially impact others.
• generic web: Use curl to test the /planos-de-aulas-por-disciplina/ endpoint with various payloads containing <script> tags or event handlers (e.g., onload).
curl -X POST '/planos-de-aulas-por-disciplina/' -d 'Parecer/Objeto de Conhecimento/Habilidades=<script>alert("XSS")</script>'• generic web: Examine access and error logs for suspicious requests containing XSS payloads or unusual characters in the Parecer/Objeto de Conhecimento/Habilidades parameter.
• php: Review the source code of the /planos-de-aulas-por-disciplina/ file for inadequate input validation or output encoding of the Parecer/Objeto de Conhecimento/Habilidades parameter. Look for functions like htmlspecialchars or strip_tags that are not being used correctly.
disclosure
poc
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-9104 is to upgrade to Portabilis i-Diario version 1.5.1 or later. If immediate upgrading is not possible, consider implementing input validation and output encoding on the affected parameter (Parecer/Objeto de Conhecimento/Habilidades) to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update your WAF rules to ensure they are effective against emerging XSS techniques.
如果可用,请将 i-Diario 更新到 1.5.0 之后的版本以修复 XSS 漏洞。如果不可用,请考虑禁用或删除 '附加信息 Page' 组件,直到发布解决方案。审查并验证 'Parecer/Objeto de Conhecimento/Habilidades' 字段中的用户输入,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-9104 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Diario versions 1.0 through 1.5.0, allowing attackers to inject malicious scripts.
If you are using Portabilis i-Diario versions 1.0, 1.1, 1.2, 1.3, 1.4, or 1.5.0, you are potentially affected by this vulnerability.
Upgrade to Portabilis i-Diario version 1.5.1 or later to resolve this XSS vulnerability. Consider input validation and WAF rules as temporary mitigations.
A proof-of-concept has been publicly released, indicating a high probability of exploitation and potential active campaigns.
Please refer to the Portabilis security advisories page for updates and official information regarding CVE-2025-9104.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。