CVE-2025-27418
📋 TL;DR
This stored XSS vulnerability in WeGIA allows attackers to inject malicious scripts via the tipo parameter in the adicionar_tipo_atendido.php endpoint. The scripts persist on the server and execute automatically when users access affected pages, potentially compromising user sessions and data. All WeGIA users with versions below 3.2.16 are affected.
💻 Affected Systems
- WeGIA Web Manager
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Session hijacking, credential theft, and unauthorized actions performed on behalf of authenticated users.
If Mitigated
Limited impact with proper input validation and output encoding, though stored XSS remains dangerous even with some controls.
🎯 Exploit Status
Stored XSS vulnerabilities are commonly exploited; exploitation requires access to the vulnerable endpoint but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.16
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.16 or later from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify the fix by testing the adicionar_tipo_atendido.php endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the tipo parameter before processing.
Modify adicionar_tipo_atendido.php to include: $tipo = htmlspecialchars($_POST['tipo'], ENT_QUOTES, 'UTF-8');
WAF Rule
allDeploy a web application firewall rule to block XSS payloads in the tipo parameter.
Add WAF rule: Detect and block requests containing <script>, javascript:, or other XSS patterns in tipo parameter.
🧯 If You Can't Patch
- Restrict access to the adicionar_tipo_atendido.php endpoint using IP whitelisting or authentication.
- Implement Content Security Policy (CSP) headers to mitigate script execution.
🔍 How to Verify
Check if Vulnerable:
Test the adicionar_tipo_atendido.php endpoint by submitting a payload like <script>alert('XSS')</script> in the tipo parameter and check if it executes when viewing the page.Check Version:
Check the WeGIA version in the application interface or review the source code for version markers.Verify Fix Applied:
After patching, attempt the same XSS payload test; the script should be properly encoded and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to adicionar_tipo_atendido.php with script tags or encoded payloads in parameters.
- Multiple failed XSS attempts from same IP.
Network Indicators:
- HTTP requests containing <script>, javascript:, or encoded XSS patterns in the tipo parameter.
SIEM Query:
source="web_logs" AND uri="*adicionar_tipo_atendido.php*" AND (param="*<script>*" OR param="*javascript:*")