Skip to main content
CVE Vulnerability Database

CVE-2025-8367: Portabilis i-Educar XSS Vulnerability

CVE-2025-8367 is a cross-site scripting flaw in Portabilis i-Educar 2.9 affecting the funcionario_vinculo_lst.php file. Attackers can exploit this remotely via the nome parameter. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-8367 Overview

CVE-2025-8367 is a reflected cross-site scripting (XSS) vulnerability in Portabilis i-Educar 2.9. The flaw resides in /intranet/funcionario_vinculo_lst.php, where the nome parameter is reflected into the response without proper output encoding. An unauthenticated remote attacker can craft a malicious URL that executes attacker-controlled JavaScript in the browser of a victim who follows the link.

Critical Impact

Successful exploitation allows script execution in the user's browser context, enabling session data theft, UI defacement, or targeted phishing against authenticated i-Educar users.

Affected Products

  • Portabilis i-Educar 2.9.0
  • Component: /intranet/funcionario_vinculo_lst.php
  • CPE: cpe:2.3:a:portabilis:i-educar:2.9.0:*:*:*:*:*:*:*

Discovery Timeline

  • 2025-07-31 - CVE-2025-8367 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8367

Vulnerability Analysis

The vulnerability is a reflected XSS issue [CWE-79] in the employee-link listing page of the i-Educar intranet module. The nome HTTP parameter accepted by funcionario_vinculo_lst.php is echoed back into the rendered HTML without HTML entity encoding or context-aware sanitization. When a victim loads a URL containing a crafted nome value, the injected payload is parsed by the browser as active content.

Because i-Educar is a school management platform, targeted users typically include administrative staff and teachers holding sessions with elevated privileges. Attack delivery requires user interaction, most commonly through a phishing link or an externally hosted page that redirects into the vulnerable endpoint.

Root Cause

The root cause is missing output encoding on user-supplied input. The nome parameter flows from the HTTP query string directly into HTML output without applying htmlspecialchars() or an equivalent escaping routine. No allow-list validation is applied to the parameter value.

Attack Vector

Exploitation occurs over the network and requires the victim to click a crafted link. The attacker builds a URL of the form /intranet/funcionario_vinculo_lst.php?nome=<payload>, embedding JavaScript within an HTML context break. When the response renders, the injected script executes in the origin of the i-Educar deployment, giving the attacker access to session cookies not marked HttpOnly, the DOM, and any authenticated API endpoints the victim can reach. Public analysis of the injection point is available in the GitHub Reflected XSS Analysis and the GitHub PoC Repository.

Detection Methods for CVE-2025-8367

Indicators of Compromise

  • Web server access log entries containing requests to /intranet/funcionario_vinculo_lst.php with nome= values that include <, >, script, onerror, onload, javascript:, or URL-encoded equivalents such as %3Cscript%3E.
  • Referer headers pointing to external or unexpected domains preceding requests to the vulnerable endpoint.
  • Unusual outbound requests from user browsers immediately after visiting the endpoint, suggesting cookie or token exfiltration.

Detection Strategies

  • Deploy web application firewall (WAF) signatures that inspect the nome query parameter for HTML and JavaScript metacharacters.
  • Correlate authentication events with anomalous session activity following requests to funcionario_vinculo_lst.php.
  • Review historical HTTP logs for parameter values that decode to executable HTML or script tags.

Monitoring Recommendations

  • Forward i-Educar web and application logs to a centralized analytics platform and alert on script-like patterns in query strings.
  • Monitor for spikes in 200-response traffic to the vulnerable path from a narrow set of client IPs, which may indicate automated probing.
  • Track user-reported phishing links that reference the i-Educar hostname.

How to Mitigate CVE-2025-8367

Immediate Actions Required

  • Restrict access to /intranet/funcionario_vinculo_lst.php at the reverse proxy or WAF, blocking requests where nome contains angle brackets, quotes, or script keywords.
  • Enforce a strict Content Security Policy (CSP) that disallows inline scripts on the i-Educar origin to limit payload execution.
  • Mark session cookies as HttpOnly and Secure to reduce the value of stolen session data.
  • Instruct users to avoid clicking i-Educar links received from untrusted sources.

Patch Information

As of the last NVD update on 2026-06-17, no vendor advisory or fixed release has been published. The reporter states that Portabilis was contacted before disclosure but did not respond. Track the VulDB entry #318339 and the Portabilis project channels for a future release addressing the nome parameter handling in funcionario_vinculo_lst.php.

Workarounds

  • Apply a virtual patch in the WAF to HTML-encode or reject dangerous characters in the nome parameter until an official fix is available.
  • If local code modification is feasible, wrap the reflected value with htmlspecialchars($nome, ENT_QUOTES, 'UTF-8') before output.
  • Limit exposure of the intranet interface to trusted networks or VPN users to reduce the attack surface.
bash
# Example ModSecurity rule to block reflective XSS payloads on the vulnerable endpoint
SecRule REQUEST_URI "@beginsWith /intranet/funcionario_vinculo_lst.php" \
    "phase:2,chain,deny,status:403,id:1008367,msg:'CVE-2025-8367 XSS attempt on nome parameter'"
    SecRule ARGS:nome "@rx (?i)(<script|onerror=|onload=|javascript:|<img|<svg)" "t:urlDecodeUni,t:htmlEntityDecode"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.