CVE-2025-7870
BaseFortify
Publication date: 2025-07-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-diario | 1.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7870 is a cross-site scripting (XSS) vulnerability in Portabilis i-Diario version 1.5.0, specifically in the justificativas-de-falta endpoint. It occurs due to improper handling of the 'Anexo' argument, allowing an attacker to inject malicious JavaScript code remotely. This can be exploited by uploading a malicious SVG file containing embedded scripts, which execute when accessed, leading to unauthorized script execution within the web application context. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to the injection and storage of malicious JavaScript on the server, which executes for all users accessing the affected pages. The impacts include theft of sensitive user information such as session cookies and authentication tokens, redirection of users to malicious websites, manipulation of the application's user interface facilitating phishing and social engineering attacks, and overall compromise of the application's integrity and user security. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'justificativas-de-falta' endpoint of Portabilis i-Diario 1.5.0 for cross-site scripting (XSS) via the 'Anexo' argument. One practical approach is to attempt uploading an SVG file containing embedded JavaScript code, such as the provided proof-of-concept payload. For example, you can create an SVG file with the following content: <svg xmlns="http://www.w3.org/2000/svg" fill="none"> <script> alert("This is an XSS-POC from CVEHUNTERS"); </script> </svg> Then upload this file through the 'justificativas-de-falta' endpoint and access the uploaded file to see if the script executes, indicating the presence of the vulnerability. Network detection could involve monitoring HTTP requests to this endpoint for suspicious file uploads or script injections. Specific commands depend on your environment, but using curl to upload the SVG or browser developer tools to inspect the response can be helpful. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of Portabilis i-Diario version 1.5.0 or replacing it with an alternative product, as no official patches or mitigations have been published by the vendor. Additionally, restrict or disable file uploads to the 'justificativas-de-falta' endpoint if possible, especially SVG files that can contain embedded scripts. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting this endpoint. Educate users to be cautious about interacting with uploaded files from untrusted sources. Monitoring and logging access to this endpoint can also help detect exploitation attempts. [1, 2]