CVE-2025-9104
BaseFortify
Publication date: 2025-08-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-diario | to 1.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9104 is a Stored Cross-Site Scripting (XSS) vulnerability in Portabilis i-Diario up to version 1.5.0. It affects the /planos-de-aulas-por-disciplina/ endpoint, specifically the parameters Parecer, Objeto de Conhecimento, and Habilidades. Due to improper validation and sanitization of these inputs, attackers can inject malicious scripts that are stored on the server and executed in other users' browsers when they access the affected page. This can be exploited remotely and requires user interaction. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to several security impacts including theft of session cookies enabling session hijacking, download and installation of malware on victim machines, browser hijacking, theft of user credentials, access to sensitive information, website defacement, misdirection of users, and damage to business reputation through misinformation or defacement. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected endpoint `/planos-de-aulas-por-disciplina/[ID]` for stored cross-site scripting (XSS) by injecting test payloads such as `<ScRipT>alert(1)</ScRipT>` into the parameters `Parecer`, `Objeto de Conhecimento`, or `Habilidades` via POST requests. Detection involves sending crafted POST requests to the endpoint and then accessing the affected page to see if the script executes. For example, using curl to send a test payload: `curl -X POST -d "Parecer=<ScRipT>alert(1)</ScRipT>" https://target/planos-de-aulas-por-disciplina/[ID]`. Afterwards, visiting the page or checking the response for script execution indicates vulnerability. Monitoring web application logs for suspicious POST requests containing script tags can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the affected Portabilis i-Diario versions up to 1.5.0, as no patches or vendor mitigations are available. Consider replacing the affected product with an alternative. Additionally, implement web application firewall (WAF) rules to block or sanitize inputs containing script tags or suspicious payloads targeting the parameters `Parecer`, `Objeto de Conhecimento`, and `Habilidades`. Restrict user privileges to limit the impact of potential exploitation and educate users to avoid interacting with suspicious content. Monitoring and logging should be enhanced to detect exploitation attempts. [2]