CVE-2025-29782
📋 TL;DR
A stored XSS vulnerability in WeGIA's 'adicionar_tipo_docs_atendido.php' endpoint allows attackers to inject malicious scripts via the 'tipo' parameter. These scripts persist on the server and execute automatically when users access the affected page, potentially compromising user sessions and data. Organizations using WeGIA versions before 3.2.17 are affected.
💻 Affected Systems
- WeGIA (Web manager for charitable institutions)
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, leading to complete system compromise and data theft.
Likely Case
Attackers steal session cookies or authentication tokens to impersonate users, potentially accessing sensitive charitable institution data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized, preventing execution and limiting impact to data integrity issues only.
🎯 Exploit Status
Stored XSS vulnerabilities are commonly exploited; while no public PoC exists, the advisory provides enough detail for attackers to craft exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.17
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5x5w-5c99-vr8h
Restart Required: Yes
Instructions:
1. Backup your current WeGIA installation and database. 2. Download version 3.2.17 from the official GitHub releases page. 3. Replace the vulnerable files with the patched version. 4. Restart your web server (e.g., Apache, Nginx). 5. Verify the fix by testing the 'adicionar_tipo_docs_atendido.php' endpoint.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to sanitize the 'tipo' parameter by removing or encoding HTML/JavaScript characters before storage.
Modify 'adicionar_tipo_docs_atendido.php' to use functions like htmlspecialchars() or filter_var() on the 'tipo' input.
Web Application Firewall (WAF) Rules
allConfigure WAF rules to block requests containing malicious scripts in the 'tipo' parameter.
Add a WAF rule to detect and block patterns like <script>, javascript:, or common XSS payloads in the 'tipo' parameter.
🧯 If You Can't Patch
- Restrict access to the 'adicionar_tipo_docs_atendido.php' endpoint using network ACLs or authentication mechanisms.
- Implement Content Security Policy (CSP) headers to mitigate script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Test the 'adicionar_tipo_docs_atendido.php' endpoint by submitting a payload like <script>alert('XSS')</script> in the 'tipo' parameter and check if it executes when the page is accessed.Check Version:
Check the WeGIA version in the application's admin panel or review the source code for version markers.Verify Fix Applied:
After patching, repeat the test with the same payload; it should be sanitized and not execute. Check the page source to ensure the script is encoded or removed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to 'adicionar_tipo_docs_atendido.php' with script-like content in parameters.
- Log entries showing successful submissions with malicious payloads in the 'tipo' field.
Network Indicators:
- HTTP requests containing XSS payloads (e.g., <script>, eval(), document.cookie) in the 'tipo' parameter.
SIEM Query:
source="web_server_logs" AND uri="/adicionar_tipo_docs_atendido.php" AND (param="tipo" AND value MATCHES "(?i)<script|javascript:|alert\("