CVE-2025-22132
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in WeGIA's file upload functionality allows attackers to upload malicious files containing JavaScript code. When processed by the system, this code executes in victims' browsers, potentially stealing sensitive information or hijacking sessions. All WeGIA installations below version 3.2.7 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, theft of sensitive donor/beneficiary data, administrative privilege escalation, and deployment of malware to users' systems.
Likely Case
Session hijacking leading to unauthorized access, theft of cookies and authentication tokens, and defacement of the application interface.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting individual user sessions without system-wide compromise.
🎯 Exploit Status
Exploitation requires file upload access, which typically requires authentication, but could be combined with other vulnerabilities or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.7
Vendor Advisory: https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-h8hr-jhcx-fcv9
Restart Required: No
Instructions:
1. Download WeGIA version 3.2.7 or later from the official repository. 2. Replace the vulnerable file WeGIA/html/socio/sistema/controller/controla_xlsx.php with the patched version. 3. Verify the fix by checking the file contains proper input validation and output encoding.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allTemporarily disable or restrict access to the controla_xlsx.php endpoint until patching is complete.
mv /path/to/WeGIA/html/socio/sistema/controller/controla_xlsx.php /path/to/WeGIA/html/socio/sistema/controller/controla_xlsx.php.disabled
Implement WAF rules
allConfigure web application firewall to block malicious file uploads containing JavaScript payloads.
🧯 If You Can't Patch
- Implement strict file upload validation to only accept expected file types and sanitize all uploaded content.
- Deploy Content Security Policy (CSP) headers to restrict script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check if WeGIA version is below 3.2.7 and examine the controla_xlsx.php file for lack of proper input sanitization.Check Version:
grep -r 'version' /path/to/WeGIA/config/ or check the application interfaceVerify Fix Applied:
Verify the WeGIA version is 3.2.7 or higher and test file upload functionality with malicious payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to controla_xlsx.php endpoint
- Large number of file upload attempts with suspicious filenames
- JavaScript code patterns in uploaded file content logs
Network Indicators:
- HTTP POST requests to /WeGIA/html/socio/sistema/controller/controla_xlsx.php with file uploads
- Subsequent requests with suspicious JavaScript payloads in parameters
SIEM Query:
source="web_logs" AND uri="/WeGIA/html/socio/sistema/controller/controla_xlsx.php" AND method="POST" AND (file_upload="true" OR content_type="multipart/form-data")