CVE-2025-57764
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in WeGIA web management software allows attackers to inject malicious scripts via the msg_e parameter in cargos.php. This could enable session hijacking, credential theft, or defacement of the application. All WeGIA installations prior to version 3.4.7 are affected.
💻 Affected Systems
- WeGIA Web Manager for Charitable Institutions
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect users to malicious sites, or deface the application interface.
Likely Case
Attackers could steal session cookies or perform actions on behalf of authenticated users, potentially compromising sensitive charitable institution data.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution.
🎯 Exploit Status
Exploitation requires tricking users into clicking malicious links containing the XSS payload in the msg_e parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.7
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qx7f-q867-cgx2
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.4.7 or later from the official repository. 3. Replace the vulnerable cargos.php file with the patched version. 4. Verify the fix by testing the msg_e parameter with XSS payloads.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the msg_e parameter before processing.
Add input sanitization in cargos.php: $msg_e = htmlspecialchars($_GET['msg_e'], ENT_QUOTES, 'UTF-8');
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads in the msg_e parameter.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Disable or restrict access to the cargos.php endpoint if not essential
🔍 How to Verify
Check if Vulnerable:
Test the cargos.php endpoint with a harmless XSS payload like: cargos.php?msg_e=<script>alert('test')</script> and check if script executes.Check Version:
Check the WeGIA version in the application interface or review the source code for version markers.Verify Fix Applied:
After patching, test with the same XSS payload and verify the script does not execute and the input is properly encoded.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to cargos.php containing script tags or JavaScript in msg_e parameter
- Unusual length or character patterns in msg_e parameter values
Network Indicators:
- HTTP GET requests with suspicious parameters containing JavaScript code or encoded payloads
SIEM Query:
source="web_logs" AND uri="*cargos.php*" AND (msg_e="*<script>*" OR msg_e="*javascript:*" OR msg_e="*onerror=*" OR msg_e="*onload=*")