平台
php
修复版本
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
CVE-2025-9106 describes a cross-site scripting (XSS) vulnerability discovered in Portabilis i-Diario versions 1.0 through 1.5.0. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. A fix is available in version 1.5.1, and the vulnerability details have been publicly disclosed.
The XSS vulnerability in i-Diario allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the application's interface. Given the nature of i-Diario as a potentially sensitive educational management system, successful exploitation could expose student data, instructor information, and curriculum details. The public availability of an exploit significantly increases the risk of widespread attacks targeting vulnerable installations.
The vulnerability details and a proof-of-concept exploit have been publicly disclosed, indicating a heightened risk of exploitation. The CVSS score of 3.5 (LOW) suggests that while the vulnerability exists, the attack conditions may be somewhat limited or require specific user interaction. It is not currently listed on CISA KEV, but the public exploit warrants close monitoring.
Educational institutions and organizations utilizing Portabilis i-Diario for managing educational plans and curriculum are at risk. Specifically, installations running versions 1.0 through 1.5.0 are vulnerable. Shared hosting environments where multiple i-Diario instances reside on the same server are particularly susceptible due to the potential for cross-site contamination.
• wordpress / composer / npm:
grep -r "Parecer/Conteúdos/Objetivos" /var/www/i-diario/• generic web:
curl -I http://your-i-diario-instance.com/planos-de-ensino-por-disciplina/ | grep -i "<script"disclosure
poc
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-9106 is to upgrade to Portabilis i-Diario version 1.5.1 or later. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the /planos-de-ensino-por-disciplina/ page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.
将 i-Diario 更新到 1.5.0 之后的版本以修复 XSS 漏洞。如果不可用,请审查并过滤 /planos-de-ensino-por-disciplina/ 文件中 'Parecer'、'Conteúdos' 和 'Objetivos' 字段的输入,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-9106 is a cross-site scripting (XSS) vulnerability affecting Portabilis i-Diario versions 1.0 through 1.5.0, allowing attackers to inject malicious scripts.
You are affected if you are using Portabilis i-Diario versions 1.0, 1.1, 1.2, 1.3, 1.4, or 1.5.0. Upgrade is required.
Upgrade to Portabilis i-Diario version 1.5.1 or later to resolve the vulnerability. Consider temporary WAF rules as an interim measure.
A public proof-of-concept exploit exists, indicating a potential for active exploitation. Monitor your systems closely.
Refer to the Portabilis security advisories on their official website for the latest information and updates regarding CVE-2025-9106.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。