CVE-2025-54076
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in WeGIA versions before 3.4.6 allows attackers to inject malicious scripts via the msg_e parameter in the pre_cadastro_atendido.php endpoint. This affects all organizations using vulnerable WeGIA installations, particularly charitable institutions using this Portuguese-language web manager.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to account takeover or data theft.
Likely Case
Attackers could steal session cookies or redirect users to phishing pages, compromising individual user accounts.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link) but is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-vpvf-hffw-4qpc
Restart Required: No
Instructions:
1. Backup your current WeGIA installation. 2. Download WeGIA version 3.4.6 or later from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify the fix by testing the pre_cadastro_atendido.php endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side input validation to sanitize the msg_e parameter before processing.
Modify pre_cadastro_atendido.php to filter msg_e parameter using htmlspecialchars() or similar functions
WAF Rule
allImplement a web application firewall rule to block malicious script patterns in the msg_e parameter.
Add WAF rule: Detect and block requests containing <script> tags or javascript: in msg_e parameter
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Deploy a web application firewall (WAF) with XSS protection rules in front of the WeGIA application.
🔍 How to Verify
Check if Vulnerable:
Test the pre_cadastro_atendido.php endpoint by sending a request with msg_e parameter containing a test payload like <script>alert('test')</script> and check if script executes.Check Version:
Check the WeGIA version in the application interface or review the source code for version markers.Verify Fix Applied:
After patching, repeat the test with the same payload; the script should not execute and the input should be properly encoded.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to pre_cadastro_atendido.php with suspicious parameters containing script tags or encoded JavaScript
Network Indicators:
- Unusual spikes in requests to the vulnerable endpoint with long parameter values
SIEM Query:
source="web_logs" AND uri="/pre_cadastro_atendido.php" AND (param="msg_e" AND value MATCHES "<script>|javascript:")