CVE-2025-7868 MEDIUM

CVE-2025-7868: Portabilis i-Educar Calendar educar_calendario_dia_motivo_cad.php cross site scripting

Vendor Portabilis
Product i-Educar
Weakness CWE-79 · XSS
Published July 20, 2025
Last update September 16, 2025
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /intranet/educar_calendario_dia_motivo_cad.php of the component Calendar Module. The manipulation of the argument Motivo/descricao results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

July 20, 2025 CVE published
September 16, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-40290 Reflected cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC. CVE-2026-33405 Pi-hole has a Stored HTML Injection in queries.js CVE-2021-1444 Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software Web Services Interface Cross-Site Scripting Vulnerability CVE-2022-47140 WordPress ARMember Plugin <= 4.0.1 is vulnerable to Cross Site Scripting (XSS) CVE-2026-47345 TYPO3 HTML Sanitizer allows Cross-Site Scripting