Stored XSS Vulnerability in WeGIA Web Application Affecting Charitable Institutions
CVE-2025-22618

5.4MEDIUM

Key Information:

Vendor: WeGIA
Status: WeGIA Web Manager
Vendor: CVE Published:; 13 January 2025

What is CVE-2025-22618?

The WeGIA web management application, which primarily supports Portuguese-speaking charitable institutions, is vulnerable to a Stored Cross-Site Scripting (XSS) flaw. The vulnerability exists in the adicionar_cargo.php endpoint, where inadequate input validation allows attackers to inject harmful scripts through the cargo parameter. Once the scripts are submitted, they are saved on the server and automatically executed whenever the affected page is accessed by any user, leading to potential compromise of user data and system integrity. Users are urged to upgrade to version 3.2.6 or higher, as there are no known workarounds for this issue.

References

https://github.com/LabRedesCefetRJ/WeGIA/commit/f3b1cd90e...

https://github.com/LabRedesCefetRJ/WeGIA/security/advisor...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 13, 2025