CVE-2025-8787
BaseFortify
Publication date: 2025-08-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-diario | to 1.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8787 is a stored cross-site scripting (XSS) vulnerability in Portabilis i-Diario up to version 1.5.0. It affects the component 'Registro das atividades' specifically in the file /registros-de-conteudos-por-disciplina/. The vulnerability occurs because user inputs in parameters like 'Registro de atividades' and 'ConteΓΊdos' are not properly validated or sanitized. Attackers can inject malicious JavaScript code that is stored on the server and executed in the browsers of users who access the affected page, potentially leading to various malicious actions. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to several impacts including theft of session cookies enabling session hijacking, download and installation of malware on victim machines, browser hijacking, theft of user credentials, unauthorized access to sensitive information, website defacement, misdirection of users through manipulated content, and damage to the business's reputation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected endpoint `/registros-de-conteudos-por-disciplina/[ID]` for stored cross-site scripting (XSS) by injecting a proof-of-concept payload such as `<script>alert('PoC-XXS2')</script>` into the `Parecer` parameter or other vulnerable parameters like `Registro de atividades` and `ConteΓΊdos`. After injection, accessing the affected page or the "HistΓ³rico" option in the application should trigger the alert if the vulnerability exists. Detection involves manual or automated web application security testing tools that can inject and detect stored XSS payloads. Specific commands depend on the tools used, but for example, using curl to POST the payload or using a web proxy/interceptor to inject the payload can be done. However, no explicit commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the affected Portabilis i-Diario versions up to 1.5.0, as no patches or vendor mitigations are currently available. Consider replacing the affected product with an alternative solution. Additionally, restrict user input to the vulnerable parameters and implement web application firewall (WAF) rules to detect and block typical XSS payloads. Educate users to avoid interacting with suspicious content. Monitoring and alerting on unusual activity related to the vulnerable endpoint can also help reduce impact. [2]