CVE-2025-58452
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in WeGIA's listar_despachos.php endpoint allows attackers to inject malicious scripts via the id_memorando parameter. This could enable session hijacking, credential theft, or defacement when users click malicious links. Organizations using WeGIA versions before 3.4.11 are affected.
💻 Affected Systems
- WeGIA (Web manager for charitable institutions)
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, gain full control of the charitable institution management system, and potentially access sensitive donor/beneficiary data.
Likely Case
Session hijacking leading to unauthorized actions within the application, or credential theft from users who click malicious links.
If Mitigated
Limited impact due to proper input validation, output encoding, and user awareness about suspicious links.
🎯 Exploit Status
Requires user interaction (clicking malicious link) and knowledge of the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.11
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq9x-mfv2-x467
Restart Required: No
Instructions:
1. Backup current WeGIA installation and database. 2. Download version 3.4.11 from the official repository. 3. Replace vulnerable files with patched version. 4. Verify the patch by testing the id_memorando parameter.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize the id_memorando parameter before processing.
Modify listar_despachos.php to include: $id_memorando = filter_var($_GET['id_memorando'], FILTER_SANITIZE_STRING);
Web Application Firewall (WAF) Rule
allBlock malicious script patterns in the id_memorando parameter.
Add WAF rule to detect and block: <script>, javascript:, onload=, etc. in URL parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Disable or restrict access to the listar_despachos.php endpoint if not required for operations.
🔍 How to Verify
Check if Vulnerable:
Test by accessing listar_despachos.php with payload: ?id_memorando=<script>alert('XSS')</script> and check if script executes.Check Version:
Check WeGIA version in admin panel or review application files for version indicators.Verify Fix Applied:
Repeat the test with the same payload after patching; script should not execute and input should be sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to listar_despachos.php containing script tags or JavaScript in parameters
- Unusual parameter values in id_memorando field
Network Indicators:
- Malicious URLs containing script payloads targeting the vulnerable endpoint
SIEM Query:
source="web_logs" AND uri="*listar_despachos.php*" AND (param="*<script>*" OR param="*javascript:*")