CVE-2025-22597
Published: 10 January 2025
Description
WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the CobrancaController.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the local_recepcao parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.8.
Security Summary
CVE-2025-22597 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting the WeGIA web application, which serves as a manager for charitable institutions. The flaw resides in the CobrancaController.php endpoint, where attackers can inject malicious scripts via the local_recepcao parameter. These scripts are persistently stored on the server and automatically execute whenever the affected page is accessed by users. The vulnerability carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L) and was published on 2025-01-10.
An unauthenticated attacker accessible over the network can exploit this vulnerability with low complexity by submitting crafted input to the vulnerable endpoint, requiring subsequent user interaction such as viewing the affected page. Successful exploitation triggers execution of the injected scripts in the context of the victim's browser, potentially leading to high confidentiality and integrity impacts, such as theft of session cookies, keystroke logging, or account takeover, alongside limited availability disruption.
The GitHub Security Advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mgj3-g922-2r9v details the issue and confirms mitigation through an upgrade to WeGIA version 3.2.8, which addresses the improper input sanitization in the affected endpoint.
Details
- CWE(s)