CVE-2025-7109
BaseFortify
Publication date: 2025-07-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-educar | 2.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7109 is a stored cross-site scripting (XSS) vulnerability in Portabilis i-Educar version 2.9.0, specifically in the Student Benefits Registration component. It occurs because the "BenefΓcio" input field does not properly sanitize user input, allowing attackers to inject malicious JavaScript code. This malicious script is stored and later executed automatically when authenticated users access the benefits listing page, potentially compromising user interactions with the web application. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of authenticated users, such as administrators or school staff. This can lead to unauthorized actions, session hijacking, or manipulation of data within the application. Since the attack requires user interaction and valid credentials, it primarily affects users who access the affected module, potentially compromising data integrity and user trust. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file /intranet/educar_aluno_beneficio_lst.php in Portabilis i-Educar version 2.9.0 and by searching for the usage of the "BenefΓcio" argument that is susceptible to cross-site scripting. One method is to use Google dorking with queries like `inurl:intranet/educar_aluno_beneficio_lst.php` to identify vulnerable targets. Additionally, testing the input field "BenefΓcio" by injecting a harmless script payload such as `<script>alert('test')</script>` and observing if it executes when viewing the benefits listing page can confirm the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input sanitization by stripping HTML and script tags and escaping special characters in all input fields, especially the "BenefΓcio" field. Proper HTML encoding should be applied to all dynamic content before rendering it on web pages. Utilizing established XSS protection libraries such as OWASP Java Encoder or DOMPurify to filter and sanitize untrusted data is also recommended. If possible, consider replacing the affected component or product, as no official patches or vendor responses are available. [2, 1]