CVE-2025-23031
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in WeGIA's adicionar_alergia.php endpoint allows attackers to inject malicious scripts via the 'nome' parameter. These scripts are stored on the server and automatically execute when users access affected pages, potentially compromising user data and sessions. All WeGIA users running vulnerable versions are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the website, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers steal session cookies or authentication tokens, enabling account takeover and unauthorized access to sensitive charitable institution data.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, maintaining normal application functionality.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint, which may require authentication. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wp4f-qhh2-8vfv
Restart Required: Yes
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.6 from the official repository. 3. Replace the vulnerable files with the patched version. 4. Restart the web server service. 5. Verify the fix by testing the adicionar_alergia.php endpoint.
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Disable or restrict access to the adicionar_alergia.php endpoint if not required for operations.
🔍 How to Verify
Check if Vulnerable:
Check if your WeGIA version is below 3.2.6 by examining the application version in the admin panel or configuration files.Check Version:
Check the WeGIA configuration files or admin interface for version information. No single command exists for all installations.Verify Fix Applied:
After upgrading to 3.2.6, test the adicionar_alergia.php endpoint by attempting to inject basic XSS payloads (e.g., <script>alert('test')</script>) and verify they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to adicionar_alergia.php with script tags or JavaScript in parameters
- Multiple failed login attempts followed by access to the vulnerable endpoint
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in the 'nome' parameter
- Unusual outbound connections from the WeGIA server after page access
SIEM Query:
source="web_server_logs" AND uri="*adicionar_alergia.php*" AND (param="*<script>*" OR param="*javascript:*")