CVE-2025-22132

CVE-2025-22132 is a Cross-Site Scripting (XSS) vulnerability in WeGIA, an open-source web manager for charitable institutions. The flaw resides in the file upload functionality at the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint, where insufficient input validation allows attackers to upload files containing malicious JavaScript code. This issue, linked to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-434 (Unrestricted Upload of File with Dangerous Type), affects versions prior to 3.2.7 and carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L).

Exploitation requires an authenticated attacker with high privileges (PR:H), such as an administrative or authorized user capable of accessing the file upload feature over the network (AV:N). The attacker uploads a specially crafted file with embedded JavaScript, which executes in the context of a victim's browser upon user interaction (UI:R), such as opening or processing the file. Successful exploitation enables arbitrary script execution with high confidentiality and integrity impacts (C:H/I:H), potentially leading to information theft, session hijacking, and other client-side attacks, with changed scope (S:C) and low availability impact (A:L).

Mitigation is available through the official patch in WeGIA version 3.2.7, as detailed in the GitHub security advisory (GHSA-h8hr-jhcx-fcv9) and the fixing commit (330f641db43cfb0c8ea8bb6025cc0732de4d4d6b). Security practitioners should urge users to update to the patched version immediately and review access controls on file upload endpoints to limit privileges.