CVE-2025-7113
BaseFortify
Publication date: 2025-07-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-educar | 2.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in Portabilis i-Educar version 2.9.0, specifically in the Curricular Components module. An authenticated attacker can inject malicious JavaScript code into the 'Nome' field of a curricular component. This malicious script is stored and executed whenever the component list is accessed, potentially affecting users who view that page. [1, 2]
How can this vulnerability impact me? :
The vulnerability allows an attacker to inject and execute malicious scripts in the context of the affected application. This can lead to unauthorized actions performed on behalf of users, manipulation of displayed content, or theft of sensitive information such as session tokens. Since the attack is stored and triggered when users access the component list, it can impact multiple users remotely, potentially compromising data integrity and user trust. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a test script payload into the "Nome" field of the Curricular Components module via the vulnerable endpoint `/module/ComponenteCurricular/edit?id=ID`. Detection involves authenticating to Portabilis i-Educar 2.9.0, navigating to the component edit page, and inserting a harmless script such as `<script>alert('PoC VulDB i-Educar Pacxxx')</script>` into the "Nome" field. If the script executes when viewing the component list, the system is vulnerable. There are no specific network commands provided, but manual testing through the web interface as described is the recommended detection method. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input sanitization to reject or neutralize any input containing scripts or HTML tags in the "Nome" field, and applying proper output encoding to all user-supplied data before rendering it in HTML contexts. Utilizing established XSS mitigation libraries such as OWASP Java Encoder, HTMLPurifier, or DOMPurify is recommended. Since the vendor has not responded and no official patches are available, consider restricting access to the vulnerable module or replacing the affected component with an alternative product. [1, 2]