CVE-2025-7110
BaseFortify
Publication date: 2025-07-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-educar | 2.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7110 is a Stored Cross-Site Scripting (XSS) vulnerability in Portabilis i-Educar version 2.9.0, specifically in the School Module. It occurs because the application does not properly validate or sanitize the 'Escola' (School) input field. An attacker who is authenticated can inject malicious JavaScript code into this field, which is then stored and executed every time a logged-in user accesses the school list page. This allows the attacker to run arbitrary scripts in the context of other users' browsers. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute malicious scripts in the browsers of authenticated users. This can lead to unauthorized actions performed on behalf of users, theft of session tokens or sensitive information, and potential compromise of user accounts or data integrity within the affected application. Since the attack requires user interaction and authentication, it primarily affects users with access to the system but can still lead to significant security risks. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the affected Portabilis i-Educar version 2.9.0 is in use and by testing the 'Escola' input field in the School Module for improper input sanitization. One detection method is to attempt injecting a harmless script payload such as <script>alert('PoC VulDB i-Educar Pacxxx')</script> into the 'Escola' field via the edit page (/intranet/educar_escola_det.php?cod_escola=ID) and then observing if the script executes on the school list page (/intranet/educar_escola_lst.php). Additionally, vulnerable targets can be identified using Google dorking with the query: inurl:intranet/educar_escola_lst.php. There are no specific network commands provided, but manual testing through the web interface as described is recommended. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input sanitization to reject or neutralize any input containing scripts or HTML in the 'Escola' field, applying proper output encoding to all user-supplied data before rendering it in HTML contexts, and utilizing established XSS mitigation libraries such as OWASP Java Encoder, HTMLPurifier, or DOMPurify. Since the vendor has not provided an official fix or response, consider replacing the affected component with an alternative product to avoid exploitation. [1, 2]