CVE-2025-53932
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in WeGIA's cadastro_adotante.php endpoint allows attackers to inject malicious scripts via the cpf parameter. This affects all WeGIA installations prior to version 3.4.5. Attackers could steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the WeGIA system, and potentially compromise the entire charitable organization's data and operations.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, potentially accessing sensitive personal information of donors or beneficiaries.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any impact.
🎯 Exploit Status
Reflected XSS vulnerabilities are trivial to exploit with basic web knowledge. Attackers only need to craft a malicious URL containing the payload in the cpf parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.5
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3vfw-749q-qp6r
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.4.5 or later from the official repository. 3. Replace the vulnerable cadastro_adotante.php file with the patched version. 4. Verify the fix by testing the cpf parameter with XSS payloads.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allConfigure WAF to block requests containing XSS patterns in the cpf parameter
# Example ModSecurity rule: SecRule ARGS:cpf "@detectXSS" "id:1001,phase:2,deny,status:403"
Input Validation Filter
allImplement server-side validation to allow only numeric characters in the cpf parameter
# PHP example: $cpf = preg_replace('/[^0-9]/', '', $_GET['cpf']);
🧯 If You Can't Patch
- Deploy a web application firewall (WAF) with XSS protection rules specifically for the cpf parameter
- Implement Content Security Policy (CSP) headers to restrict script execution from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Test the cadastro_adotante.php endpoint by appending ?cpf=<script>alert('XSS')</script> to the URL and check if the script executesCheck Version:
Check the WeGIA version in the application interface or review the source code for version markersVerify Fix Applied:
After patching, test with the same XSS payload. The script should not execute and the input should be properly sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to cadastro_adotante.php with script tags or JavaScript in the cpf parameter
- Unusual length or character patterns in cpf parameter values
Network Indicators:
- HTTP GET requests containing <script> tags in query parameters
- URLs with encoded JavaScript in the cpf parameter
SIEM Query:
source="web_server" AND url="*cadastro_adotante.php*" AND (query="*<script>*" OR query="*javascript:*" OR query="*onerror=*" OR query="*onload=*")