CVE-2025-22598
Published: 10 January 2025
Description
WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the cadastrarSocio.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the local_recepcao parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.8.
Security Summary
CVE-2025-22598 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting the WeGIA web application, which serves as a manager for charitable institutions. The issue exists in the cadastrarSocio.php endpoint, where attackers can inject malicious scripts through the local_recepcao parameter. These scripts are persistently stored on the server and automatically execute in users' browsers whenever the affected page is accessed.
Unauthenticated attackers (PR:N) with network access (AV:N) can exploit this vulnerability with low attack complexity (AC:L), though it requires user interaction such as visiting the affected page (UI:R). Exploitation yields high impacts on confidentiality and integrity, with low availability impact, resulting in a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L). Attackers can thereby execute arbitrary scripts in the context of other users, enabling actions like session hijacking, data theft, or further compromise.
The vulnerability has been fixed in WeGIA version 3.2.8. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9x2j-pw3h-p53f.
Details
- CWE(s)