CVE-2025-23035
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in WeGIA's adicionar_tipo_quadro_horario.php endpoint allows attackers to inject malicious scripts via the 'tipo' parameter. These scripts are stored on the server and automatically execute when users access the affected page, potentially compromising user data and sessions. All WeGIA users running vulnerable versions are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the website, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers inject malicious JavaScript to steal session cookies or credentials, enabling unauthorized access to the WeGIA application and potentially sensitive charitable institution data.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized, preventing execution in user browsers.
🎯 Exploit Status
The advisory doesn't specify authentication requirements, but typical stored XSS in admin interfaces requires some level of access. Exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qfmh-qrr2-5c4g
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.6 from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify the fix by testing the adicionar_tipo_quadro_horario.php functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the 'tipo' parameter by removing or encoding HTML/JavaScript special characters.
# Example PHP sanitization (add to adicionar_tipo_quadro_horario.php):
# $tipo = htmlspecialchars($_POST['tipo'], ENT_QUOTES, 'UTF-8');
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict access to the WeGIA application to trusted IP addresses only using network ACLs or firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check if your WeGIA version is below 3.2.6 by examining the application version in the admin interface or configuration files.Check Version:
# Check WeGIA version in typical installation: grep -r 'version' /path/to/wegia/config/ || cat /path/to/wegia/README.mdVerify Fix Applied:
After upgrading to 3.2.6, test the adicionar_tipo_quadro_horario.php endpoint with XSS payloads like <script>alert('test')</script> and verify they are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to adicionar_tipo_quadro_horario.php with script tags or JavaScript code in parameters
- Multiple failed login attempts followed by successful access to admin functions
Network Indicators:
- HTTP requests containing <script> tags or JavaScript functions in the 'tipo' parameter
- Unexpected outbound connections from WeGIA server to external domains
SIEM Query:
source="web_server_logs" AND uri="/adicionar_tipo_quadro_horario.php" AND (param="*<script>*" OR param="*javascript:*")