CVE-2025-53525
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability exists in WeGIA's profile_familiar.php endpoint via the id_dependente parameter. Attackers can inject malicious scripts that execute in victims' browsers when they visit crafted URLs. This affects all WeGIA users who access the vulnerable endpoint.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Session hijacking, credential theft, or defacement of the application interface for targeted users.
If Mitigated
Limited impact if proper input validation, output encoding, and Content Security Policy are implemented.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) but is technically simple.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.3
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-982x-v58q-6qpj
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download version 3.4.3 from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify the fix by testing the id_dependente parameter.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to only accept numeric values for the id_dependente parameter.
Modify profile_familiar.php to include: if (!is_numeric($_GET['id_dependente'])) { die('Invalid parameter'); }
Web Application Firewall Rule
allBlock requests containing script tags or JavaScript in the id_dependente parameter.
Add WAF rule: deny if ARGS:id_dependente contains '<script' or 'javascript:'
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Disable or restrict access to the profile_familiar.php endpoint using web server configuration or authentication.
🔍 How to Verify
Check if Vulnerable:
Test by accessing profile_familiar.php?id_dependente=<script>alert('XSS')</script> and check if script executes.Check Version:
Check the application's version in the admin panel or read the version file if available.Verify Fix Applied:
After patching, repeat the test; the script should not execute and the parameter should be sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to profile_familiar.php with script tags or encoded JavaScript in parameters
Network Indicators:
- Unusual outbound connections from user browsers after visiting profile_familiar.php links
SIEM Query:
source="web_logs" AND uri="/profile_familiar.php" AND (query CONTAINS "<script" OR query CONTAINS "javascript:")