CVE-2025-8541
BaseFortify
Publication date: 2025-08-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-educar | 2.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8541 is a Stored Cross-Site Scripting (XSS) vulnerability in Portabilis i-Educar version 2.10, specifically in the file /intranet/public_uf_cad.php. It occurs because the application does not properly validate or sanitize user input in the 'nome' parameter, allowing attackers to inject malicious scripts. These scripts are stored on the server and executed automatically when users access a related page, enabling remote attackers to perform malicious actions. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to session cookie theft, browser hijacking, credential theft, malware distribution, unauthorized access to sensitive information, website defacement, user misdirection, and reputational damage to the affected organization. The attack requires user interaction and elevated privileges but can be initiated remotely. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable endpoint `/intranet/public_uf_cad.php` on your system. You can use Google dorking with the query `inurl:intranet/public_uf_cad.php` to identify potentially vulnerable targets. Additionally, testing the `nome` parameter by injecting a harmless XSS payload such as `<img src=x onerror=alert(1)>` in the 'Nome' field on the affected page and observing if the script executes on the `/intranet/public_uf_lst.php` page can confirm the vulnerability. Network scanning tools or web vulnerability scanners that detect stored XSS vulnerabilities on this endpoint can also be used. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been published for this vulnerability. Immediate steps include avoiding use of the affected product version 2.10 of Portabilis i-Educar if possible, or restricting access to the vulnerable endpoint `/intranet/public_uf_cad.php`. Input validation and sanitization of the `nome` parameter should be implemented to neutralize malicious scripts. Consider replacing the affected product or applying custom patches to fix the input handling. Monitoring for suspicious activity and educating users about the risk of XSS attacks can also help mitigate impact. [2]