CVE-2025-8542
BaseFortify
Publication date: 2025-08-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-educar | 2.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8542 is a cross-site scripting (XSS) vulnerability in Portabilis i-Educar version 2.10, specifically in the /intranet/empresas_cad.php file. It occurs because the application does not properly validate or sanitize user inputs in the 'fantasia' and 'razao_social' parameters, allowing attackers to inject malicious scripts. These scripts can be stored on the server and executed in users' browsers when they access certain pages, potentially leading to unauthorized actions or data compromise. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to session cookie theft, browser hijacking, credential theft, malware downloads, exposure of sensitive information, website defacement, user misdirection, and reputational damage to affected businesses. Attackers can exploit the vulnerability remotely, and although some user interaction and authentication are required, the impact can be significant. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable endpoint /intranet/empresas_cad.php and testing the parameters 'fantasia' and 'razao_social' for cross-site scripting (XSS) injection. One method is to use Google dorking with the query `inurl:intranet/empresas_cad.php` to identify potentially vulnerable targets. Additionally, you can test the input fields by injecting a simple XSS payload such as `<img src=x onerror=alert(1)>` into the 'Nome Fantasia' and 'RazΓ£o Social' fields and observe if the script executes on the page /intranet/empresas_lst.php. Commands to detect this might include using curl or wget to send crafted requests, for example: `curl -X POST -d "fantasia=<img src=x onerror=alert(1)>" -d "razao_social=<img src=x onerror=alert(1)>" http://target/intranet/empresas_cad.php` and then checking the response or the subsequent page for script execution. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known mitigations or countermeasures have been published for this vulnerability. Immediate steps include considering replacing the affected product Portabilis i-Educar 2.10, restricting access to the vulnerable endpoint /intranet/empresas_cad.php, and applying strict input validation and sanitization on the 'fantasia' and 'razao_social' parameters if possible. Additionally, monitoring for suspicious activity and limiting user privileges to reduce the impact of exploitation are recommended. [1]