CVE-2025-8919
BaseFortify
Publication date: 2025-08-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-diario | to 1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8919 is a stored Cross-Site Scripting (XSS) vulnerability in Portabilis i-Diario up to version 1.6. It occurs due to improper validation and sanitization of user input in the cΓ³digo and objetivo/habilidade fields at the endpoint /objetivos-de-aprendizagem-e-habilidades. An attacker can inject malicious JavaScript code into these fields, which is then stored and executed in the browser of any user who later visits the related History page, allowing the attacker to run arbitrary scripts in the victim's browser. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to session cookie theft, session hijacking, malware download, browser hijacking, credential theft, exposure of sensitive information, website defacement, user misdirection, and reputational damage to the affected organization. Exploitation requires user interaction and authentication, but the attack can be launched remotely and the exploit is publicly available. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the input fields cΓ³digo and objetivo/habilidade at the endpoint /objetivos-de-aprendizagem-e-habilidades for stored cross-site scripting (XSS). A common detection method is to inject a harmless XSS payload such as "><img src=x onerror=alert('XSS-PoC')> into these fields and then visit the History page at /objetivos-de-aprendizagem-e-habilidades/{id}/historico to see if the script executes. There are no specific network commands provided, but manual or automated web application security testing tools (e.g., Burp Suite, OWASP ZAP) can be used to perform this test. Since exploitation requires authentication and victim interaction, monitoring for unusual script execution or alerts in browsers accessing these pages can also help detect exploitation. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the affected Portabilis i-Diario version 1.6 or replacing it with a non-vulnerable version or alternative product, as no official fixes or countermeasures have been published. Additionally, restrict access to the vulnerable endpoints to trusted users only, implement web application firewalls (WAF) to filter malicious input, and educate users about the risk of interacting with suspicious content. Since the vendor did not respond and no patches are available, these defensive measures are recommended to reduce exposure. [2]