CVE-2025-9107
BaseFortify
Publication date: 2025-08-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-diario | to 1.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9107 is a reflected Cross-Site Scripting (XSS) vulnerability in Portabilis i-Diario versions up to 1.5.0. It occurs in the /alunos/search_autocomplete endpoint, specifically in the 'q' parameter, which does not properly validate or sanitize user input. This allows attackers to inject malicious scripts that are reflected back in the server's response and executed in the victim's browser, potentially leading to unauthorized actions or data theft. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of a victim's browser, enabling them to perform actions on behalf of the user, steal sensitive information such as cookies, compromise user accounts, execute malicious code, damage the business's reputation by defacing websites or spreading misinformation, and misdirect users. The attack can be initiated remotely without authentication but requires some user interaction. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /alunos/search_autocomplete endpoint with a payload in the q parameter that attempts to inject a script, such as "><script>alert('XSS-PoC')</script>". If the script executes or is reflected in the response, the vulnerability is present. You can use curl or similar tools to test this, for example: curl -G --data-urlencode "q=\"><script>alert('XSS-PoC')</script>" https://targetsite/alunos/search_autocomplete. Monitoring web traffic for suspicious query parameters containing script tags may also help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the affected Portabilis i-Diario versions up to 1.5.0, as no vendor patches or mitigations are available. Consider replacing or upgrading the affected product. Additionally, implement web application firewall (WAF) rules to block or sanitize requests containing suspicious script payloads in the q parameter. Educate users to be cautious of suspicious links and monitor for exploitation attempts. Since the vendor did not respond and no official fixes exist, these defensive measures are recommended. [2]