CVE-2025-22619
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in WeGIA's editar_permissoes.php endpoint allows attackers to inject malicious scripts via the msg_c parameter. This affects all WeGIA users running vulnerable versions, potentially compromising user sessions and data. The vulnerability is particularly concerning for charitable institutions using this Portuguese-language web management system.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise and data theft.
Likely Case
Attackers would typically use this to steal session cookies, perform phishing attacks, or deface the website by injecting malicious scripts that execute in victims' browsers.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be treated as plain text rather than executable code, preventing any exploitation.
🎯 Exploit Status
Reflected XSS vulnerabilities are typically easy to exploit with basic web security knowledge. The advisory provides enough detail for attackers to craft working exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jfjj-7rgc-6j2m
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.6 from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify the editar_permissoes.php file has proper input validation.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block malicious script patterns in the msg_c parameter
Input Validation Filter
allAdd server-side filtering for the msg_c parameter to strip or encode script tags
Add input sanitization in editar_permissoes.php: htmlspecialchars($_GET['msg_c'], ENT_QUOTES, 'UTF-8')
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Disable or restrict access to the editar_permissoes.php endpoint if not required
🔍 How to Verify
Check if Vulnerable:
Test by accessing editar_permissoes.php?msg_c=<script>alert('test')</script> and checking if script executesCheck Version:
Check WeGIA version in admin panel or review application files for version indicatorsVerify Fix Applied:
After patching, test the same payload and verify it's properly encoded/escaped in the response📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to editar_permissoes.php with script-like content in msg_c parameter
- Multiple failed attempts with script payloads
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in URL parameters
- Unusual redirects or external resource loads from WeGIA pages
SIEM Query:
source="web_server" AND uri="*editar_permissoes.php*" AND (query="*<script>*" OR query="*javascript:*" OR query="*onload=*" OR query="*onerror=*")