CVE-2025-22613
📋 TL;DR
This stored XSS vulnerability in WeGIA allows attackers to inject malicious scripts into the 'descricao' parameter of the informacao_adicional.php endpoint. The scripts are stored on the server and automatically execute when users access affected pages, potentially compromising user data and systems. All WeGIA users running vulnerable versions are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal session cookies, credentials, or sensitive data from all users accessing the vulnerable page, potentially leading to full account takeover and data breaches.
Likely Case
Attackers inject malicious scripts that steal user session tokens or credentials, enabling unauthorized access to user accounts and potentially administrative functions.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any client-side code execution.
🎯 Exploit Status
Stored XSS vulnerabilities are commonly exploited, though specific exploit details for this CVE are not publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-fhpx-54ch-ccxh
Restart Required: Yes
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.6 from the official repository. 3. Replace the existing files with the patched version. 4. Restart the web server service. 5. Verify the application functions correctly.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Disable or restrict access to the informacao_adicional.php endpoint if not essential for operations.
🔍 How to Verify
Check if Vulnerable:
Check if your WeGIA version is below 3.2.6 by examining the application version in the admin interface or configuration files.Check Version:
Check the application's admin panel or review the application's configuration files for version information.Verify Fix Applied:
After upgrading to version 3.2.6, test the informacao_adicional.php endpoint with basic XSS payloads like <script>alert('test')</script> to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to informacao_adicional.php with script tags or JavaScript in parameters
- Multiple failed attempts to inject scripts into the descricao parameter
Network Indicators:
- HTTP requests containing script tags or JavaScript code in the descricao parameter
- Unusual traffic patterns to the vulnerable endpoint
SIEM Query:
source="web_server_logs" AND (url_path="/informacao_adicional.php" AND (param="descricao" AND value CONTAINS "<script>" OR value CONTAINS "javascript:"))