CVE-2025-54078
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in WeGIA web management software allows attackers to inject malicious scripts via the 'err' parameter in the personalizacao_imagem.php endpoint. This could enable session hijacking, credential theft, or defacement attacks against users who click malicious links. Organizations using WeGIA versions before 3.4.6 for charitable institution management are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to the WeGIA system, modify charitable institution data, redirect donations, or install backdoors for persistent access.
Likely Case
Attackers craft phishing emails with malicious links that execute scripts in victims' browsers, potentially stealing session tokens or credentials when users click the links.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized, preventing execution even if the vulnerable parameter is accessed.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited via phishing campaigns. The vulnerability requires user interaction (clicking a malicious link) but requires no authentication to trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-f4j2-mxwh-rfm7
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.4.6 from the official repository. 3. Replace the vulnerable personalizacao_imagem.php file with the patched version. 4. Verify the fix by testing the err parameter with script payloads.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allConfigure WAF to block requests containing script tags or JavaScript in the err parameter
WAF-specific configuration commands vary by vendor
Input Validation Filter
allAdd server-side validation to sanitize the err parameter before processing
Modify personalizacao_imagem.php to add: $err = htmlspecialchars($_GET['err'], ENT_QUOTES, 'UTF-8');
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Deploy a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Access personalizacao_imagem.php?err=<script>alert('XSS')</script> and check if script executesCheck Version:
Check WeGIA version in admin panel or review version.php fileVerify Fix Applied:
Test the same payload after patching - script should not execute and should be displayed as plain text📡 Detection & Monitoring
Log Indicators:
- HTTP requests to personalizacao_imagem.php with script tags in err parameter
- Unusual parameter values containing JavaScript or HTML in err field
Network Indicators:
- HTTP GET requests with encoded script payloads in query parameters
- Traffic patterns showing repeated access attempts to vulnerable endpoint
SIEM Query:
source="web_logs" AND uri_path="/personalizacao_imagem.php" AND query_string MATCHES "err=.*[<script>|javascript:|onload=|onerror=].*"