CVE-2025-22615
📋 TL;DR
This CVE describes a Reflected Cross-Site Scripting (XSS) vulnerability in WeGIA's Cadastro_Atendido.php endpoint where the cpf parameter is not properly sanitized. Attackers can inject malicious scripts that execute in victims' browsers when they visit crafted URLs. All WeGIA users running versions before 3.2.6 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via drive-by downloads.
Likely Case
Session hijacking leading to unauthorized access, credential theft, or defacement of application pages.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
Exploitation requires tricking users into clicking malicious links but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6q73-74pc-p3c8
Restart Required: Yes
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.6 from the official repository. 3. Replace the existing files with the patched version. 4. Restart your web server (Apache/Nginx). 5. Verify the Cadastro_Atendido.php endpoint no longer reflects unsanitized input.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allConfigure WAF to block requests containing script tags or JavaScript in the cpf parameter.
WAF-specific configuration commands vary by vendor
Input Validation Filter
allImplement server-side validation to reject non-numeric CPF values or values containing special characters.
Modify Cadastro_Atendido.php to add: if (!preg_match('/^[0-9]{11}$/', $_GET['cpf'])) { die('Invalid CPF'); }
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution.
- Disable or restrict access to the Cadastro_Atendido.php endpoint if not required.
🔍 How to Verify
Check if Vulnerable:
Test by accessing: http://your-wegia-instance/Cadastro_Atendido.php?cpf=<script>alert('XSS')</script> and checking if script executes.Check Version:
Check WeGIA version in admin panel or review application files for version markers.Verify Fix Applied:
After patching, repeat the test above - the script should not execute and input should be sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to Cadastro_Atendido.php with script tags or JavaScript in query parameters
- Unusual GET parameters containing <, >, or script keywords
Network Indicators:
- HTTP traffic patterns showing repeated requests to Cadastro_Atendido.php with encoded payloads
SIEM Query:
source="web_server" AND url="*Cadastro_Atendido.php*" AND (query="*<script>*" OR query="*javascript:*")