CVE-2025-9105 in i-Diario
Summary
by MITRE • 08/18/2025
A vulnerability has been found in Portabilis i-Diario up to 1.5.0. This affects an unknown part of the file /planos-de-ensino-por-areas-de-conhecimento/ of the component Informações Adicionais Page. The manipulation of the argument Parecer/Conteúdos/Objetivos leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/03/2025
The vulnerability identified as CVE-2025-9105 represents a critical cross site scripting flaw within the Portabilis i-Diario platform version 1.5.0 and earlier. This security weakness resides in the Informações Adicionais Page component, specifically within the file path /planos-de-ensino-por-areas-de-conhecimento/, where user input is inadequately sanitized before being processed and rendered. The vulnerability manifests when manipulating the Parecer/Conteúdos/Objetivos argument, which serves as an entry point for malicious actors to inject harmful scripts into the application's response. This particular flaw falls under the CWE-79 category of Cross Site Scripting, which is classified as a fundamental web application security weakness that allows attackers to execute scripts in the context of other users. The vulnerability's remote exploitability means that malicious actors can initiate attacks without requiring physical access to the target system, making it particularly dangerous for web applications that serve multiple users.
The operational impact of this vulnerability extends beyond simple script execution, as it creates potential pathways for more sophisticated attacks including session hijacking, data theft, and privilege escalation. When an attacker successfully injects malicious scripts through the Parecer/Conteúdos/Objetivos parameter, these scripts can execute in the browser of unsuspecting users who visit affected pages, potentially leading to unauthorized access to sensitive educational data or administrative functions. The fact that this exploit has been publicly disclosed and is actively being used in the wild significantly increases the risk to organizations deploying this software. The vulnerability's presence in the educational planning component of the system could allow attackers to compromise curriculum data, academic records, or even gain access to user authentication mechanisms that might be linked to the same platform. This represents a serious concern for educational institutions that rely on digital platforms for academic administration and student information management.
The security implications of CVE-2025-9105 align with several techniques documented in the MITRE ATT&CK framework, particularly those related to initial access and execution phases. Attackers can leverage this vulnerability as part of a broader attack chain to establish persistent access to educational systems, potentially using the injected scripts to redirect users to malicious sites or to harvest credentials from authenticated sessions. The lack of vendor response to early disclosure attempts further compounds the risk, as organizations have no assurance that a patch or mitigation will be forthcoming, leaving them vulnerable to continued exploitation. Organizations should consider implementing immediate compensating controls such as web application firewalls, input validation at multiple layers, and monitoring for suspicious parameter values in the affected file path. The vulnerability demonstrates the importance of proper input sanitization and output encoding practices as recommended in OWASP Top Ten security guidelines, particularly in applications handling sensitive educational data where the potential for cascading security incidents is high.