CVE-2025-8366 Overview
CVE-2025-8366 is a reflected cross-site scripting (XSS) vulnerability in Portabilis i-Educar 2.9, an open-source school management system widely deployed in Brazilian educational institutions. The flaw resides in /intranet/educar_servidor_lst.php, where the nome and matricula_servidor parameters are reflected into the response without proper output encoding [CWE-79]. Remote attackers can craft a malicious URL that, when opened by an authenticated user, executes arbitrary JavaScript in the victim's browser session. The exploit has been publicly disclosed, and the vendor did not respond to disclosure attempts.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser context, enabling session token theft, unauthorized administrative actions, and phishing against school staff.
Affected Products
- Portabilis i-Educar 2.9.0
- Component: /intranet/educar_servidor_lst.php
- Vulnerable parameters: nome and matricula_servidor
Discovery Timeline
- 2025-07-31 - CVE-2025-8366 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8366
Vulnerability Analysis
The vulnerability is a reflected XSS flaw in the server listing functionality of i-Educar 2.9. The PHP script educar_servidor_lst.php accepts user-controlled input through the nome (name) and matricula_servidor (employee registration number) HTTP parameters. These values are echoed back into the rendered HTML response without proper contextual encoding or sanitization.
Because the application does not escape reflected input, an attacker can inject HTML and JavaScript payloads that execute in the browser of any authenticated user who follows a crafted link. The impact is limited to the confidentiality and integrity of the client session, which is consistent with the low CVSS scoring for this class of reflected XSS.
Since Portabilis has not published a patch or acknowledged the report, i-Educar 2.9 deployments remain exposed. A public proof of concept is available in the GitHub PoC by marcelomulder.
Root Cause
The root cause is missing output encoding on user-supplied request parameters before they are inserted into the HTML response. The PHP handler does not apply htmlspecialchars() or an equivalent context-aware escaping function, and there is no server-side input validation restricting the character set of the nome and matricula_servidor fields.
Attack Vector
Exploitation requires user interaction. An attacker crafts a URL to /intranet/educar_servidor_lst.php containing a JavaScript payload in the nome or matricula_servidor query parameter, then delivers the link to an authenticated i-Educar user through email, chat, or another web page. When the target opens the link, the payload runs under the origin of the i-Educar application and can access session cookies, submit authenticated requests, or render fake login forms.
For payload construction details and reproduction steps, see the Reflected XSS technical write-up and the VulDB entry #318338.
Detection Methods for CVE-2025-8366
Indicators of Compromise
- HTTP GET or POST requests to /intranet/educar_servidor_lst.php containing <script>, onerror=, onload=, or javascript: substrings in the nome or matricula_servidor parameters.
- URL-encoded XSS payloads such as %3Cscript%3E, %3Cimg, or %3Csvg in referer headers pointing to the affected endpoint.
- Unexpected outbound requests from user browsers to attacker-controlled domains immediately after visiting i-Educar links.
Detection Strategies
- Deploy a Web Application Firewall (WAF) rule that inspects query and body parameters targeting educar_servidor_lst.php for HTML tags and JavaScript event handlers.
- Review web server access logs for anomalous parameter values on the affected endpoint, focusing on angle brackets, quotes, and encoded equivalents.
- Correlate proxy or DNS telemetry with authenticated i-Educar sessions to identify beaconing that follows XSS payload delivery.
Monitoring Recommendations
- Enable verbose HTTP request logging on the i-Educar web server and forward logs to a centralized SIEM for retention and search.
- Alert on repeated requests to educar_servidor_lst.php from a single source with varying parameter payloads, which indicates payload fuzzing.
- Monitor administrator and teacher session activity for actions initiated from unusual referrers or immediately after clicking external links.
How to Mitigate CVE-2025-8366
Immediate Actions Required
- Restrict access to the i-Educar intranet interface to trusted networks or VPN clients until a fix is available.
- Deploy WAF signatures that block XSS payloads targeting the nome and matricula_servidor parameters on /intranet/educar_servidor_lst.php.
- Enforce a strict Content Security Policy (CSP) that disallows inline scripts and restricts script sources to the application origin.
- Train staff to avoid opening i-Educar links received from untrusted sources.
Patch Information
At the time of publication, Portabilis has not released a patch for CVE-2025-8366, and the vendor did not respond to the original disclosure. Administrators should track the Portabilis i-Educar GitHub repository for future security updates and apply any community-supplied fixes after review. Track advisory status through VulDB CTI #318338.
Workarounds
- Apply a reverse-proxy filter that rejects requests to educar_servidor_lst.php containing <, >, or " characters in the nome and matricula_servidor parameters.
- Set the HttpOnly and Secure flags on all i-Educar session cookies to reduce the impact of client-side script execution.
- Enable SameSite=Strict on session cookies to limit cross-origin exploitation via crafted links.
# Example nginx snippet to block obvious XSS payloads on the affected endpoint
location = /intranet/educar_servidor_lst.php {
if ($args ~* "(<|%3C)\s*script|onerror=|onload=|javascript:") {
return 403;
}
proxy_pass http://ieducar_backend;
}
# Add a restrictive Content-Security-Policy header at the server level
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

