CVE-2025-22618

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_cargo.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the `cargo` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. The application fails to properly validate and sanitize user inputs in the `adicionar_cargo.php` parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system. This issue has been addressed in release version 3.2.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/commit/f3b1cd90e33b790b6b2049c69d22c6d50fe965a1	Patch
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-2775-42rh-535q	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

History

13 Feb 2025, 18:55

Type	Values Removed	Values Added
Summary		(es) WeGIA es un gestor web de código abierto centrado en el idioma portugués y las instituciones benéficas. Se identificó una vulnerabilidad Cross-Site Scripting Almacenado (XSS) en el `adicionar_cargo.php` Endpoint de la aplicación WeGIA. Esta vulnerabilidad permite a los atacantes inyectar Scripts maliciosos en el parámetro `cargo`. Los Scripts inyectados se almacenan en el servidor y se ejecutan automáticamente cada vez que los usuarios acceden a la página afectada, lo que supone un riesgo de seguridad significativo. La aplicación no puede validar y Desinfectar correctamente las entradas del usuario en el parámetro `adicionar_cargo.php`. Esta falta de validación permite a los atacantes inyectar Scripts maliciosos, que luego se almacenan en el servidor. Cada vez que se accede a la página afectada, el Payload malicioso se ejecuta en el navegador de la víctima, lo que puede comprometer los datos del usuario y sistema. Este problema se ha solucionado en la versión de lanzamiento 3.2.6 y se recomienda a todos los usuarios que la actualicen. No se conocen Workarounds para esta vulnerabilidad.
CPE		cpe:2.3:a:wegia:wegia::::::::
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/commit/f3b1cd90e33b790b6b2049c69d22c6d50fe965a1 -~~	() https://github.com/LabRedesCefetRJ/WeGIA/commit/f3b1cd90e33b790b6b2049c69d22c6d50fe965a1 - Patch
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-2775-42rh-535q -~~	() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-2775-42rh-535q - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Wegia Wegia wegia

13 Jan 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-13 21:15

Updated : 2025-02-13 18:55

NVD link : CVE-2025-22618

Mitre link : CVE-2025-22618

CVE.ORG link : CVE-2025-22618

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10