CVE-2025-7871
BaseFortify
Publication date: 2025-07-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-diario | 1.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7871 is a cross-site scripting (XSS) vulnerability in Portabilis i-Diario version 1.5.0. It occurs in the /conteudos endpoint through the filter[by_description] parameter, which does not properly neutralize user input. This allows attackers to inject malicious scripts that execute in the victim's browser when they interact with the vulnerable parameter. The attack can be initiated remotely and requires user interaction. There are no known patches or vendor responses, and a public proof-of-concept exploit exists. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of a user's browser, potentially enabling them to perform actions available to the user such as viewing or modifying data, stealing cookies or confidential information, installing malware, compromising accounts, and damaging business reputation through misinformation or website defacement. It can also misdirect users by altering displayed instructions, which is especially critical for governmental or essential resource websites. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests to the `/conteudos` endpoint with the `filter[by_description]` parameter containing typical XSS payloads such as `"><img src=x onerror=alert('XSS-PoC')>`. Monitoring for reflected script execution or unexpected JavaScript alerts in the response indicates the presence of the vulnerability. Using tools like curl or Burp Suite to send these requests and observe responses can help detect it. For example, a curl command to test could be: curl -v "http://target-site/conteudos?filter[by_description]=\"><img src=x onerror=alert('XSS-PoC')>" [1, 2]
What immediate steps should I take to mitigate this vulnerability?
There are no known patches or fixes available from the vendor for this vulnerability. Immediate mitigation steps include avoiding use of Portabilis i-Diario 1.5.0 or considering alternative products. Additionally, implementing web application firewalls (WAF) to filter malicious input, disabling or restricting the vulnerable endpoint if possible, and educating users to avoid interacting with suspicious links can reduce risk. Monitoring for exploitation attempts and applying general XSS protections in front-end code may also help. [1]