CVE-2025-7111
BaseFortify
Publication date: 2025-07-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-educar | 2.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7111 is a Stored Cross-Site Scripting (XSS) vulnerability in Portabilis i-Educar version 2.9.0, specifically in the Course Module. It occurs because the 'Curso' field accepts and stores malicious JavaScript code without proper sanitization. When authenticated users navigate or paginate through the course list, the stored script executes in their browsers. This allows attackers to inject and run arbitrary scripts in the context of the web application, potentially manipulating or stealing information from users. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of the web application when users interact with the vulnerable Course Module. This can lead to unauthorized actions such as stealing session tokens, manipulating displayed data, or performing actions on behalf of the user. Since the attack requires user interaction and authentication, it primarily affects authenticated users and can compromise data integrity and user trust. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'Curso' field in the Portabilis i-Educar 2.9.0 application for stored cross-site scripting (XSS). Specifically, you can attempt to inject a script payload into the 'Curso' field via the course edit page (/intranet/educar_curso_cad.php?cod_curso=ID) and then observe if the script executes when navigating the course list pagination (/intranet/educar_curso_lst.php?busca=). Detection involves authenticating to the application, editing or creating a course entry, inserting a test script such as <script>alert('test')</script> into the 'Curso' field, saving it, and then browsing the course list to see if the alert triggers. There are no specific network commands provided, but manual testing via the web interface or automated web vulnerability scanners targeting stored XSS in the 'Curso' parameter can be used. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input sanitization to reject or neutralize any script or HTML content in the 'Curso' field inputs, and applying proper output encoding to all user-supplied data before rendering it in HTML contexts. Utilizing established XSS mitigation libraries such as OWASP Java Encoder, HTMLPurifier, or DOMPurify is recommended to ensure safe handling of user inputs. Since no official patch or vendor response is available, consider replacing the affected component or product if possible. [2, 1]