CVE-2025-22597
📋 TL;DR
A stored XSS vulnerability in WeGIA's CobrancaController.php endpoint allows attackers to inject malicious scripts via the local_recepcao parameter. These scripts execute automatically when users access affected pages, potentially compromising user sessions and data. All WeGIA instances below version 3.2.8 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, hijack user sessions, deface the application, or deploy malware to visitors' browsers, leading to complete system compromise and data theft.
Likely Case
Attackers steal session cookies to impersonate users, redirect users to malicious sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint; authentication status is unspecified in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.8
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mgj3-g922-2r9v
Restart Required: No
Instructions:
1. Backup your WeGIA installation and database. 2. Download WeGIA version 3.2.8 from the official repository. 3. Replace the existing files with the patched version. 4. Verify the update by checking the version in the application interface.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to reject or sanitize malicious input in the local_recepcao parameter.
Content Security Policy (CSP)
allDeploy a strict CSP header to mitigate XSS impact by restricting script execution sources.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Disable or restrict access to the CobrancaController.php endpoint if not required for operations.
🔍 How to Verify
Check if Vulnerable:
Review the WeGIA version in the application's admin panel or check the source code for the vulnerable parameter in CobrancaController.php.Check Version:
Check the WeGIA admin interface or inspect the application's configuration files for version information.Verify Fix Applied:
After patching, test the local_recepcao parameter with a benign payload (e.g., <script>alert('test')</script>) to ensure it is sanitized or rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to CobrancaController.php with script tags or JavaScript in parameters
- Multiple failed login attempts following script injection
Network Indicators:
- Unexpected outbound connections from the WeGIA server to external domains
- Traffic patterns indicating data exfiltration
SIEM Query:
source="wegia_logs" AND (url="*CobrancaController.php*" AND (param="*<script>*" OR param="*javascript:*"))