CVE-2025-62358
📋 TL;DR
CVE-2025-62358 is a reflected cross-site scripting (XSS) vulnerability in WeGIA web management software that allows attackers to inject malicious JavaScript via the log parameter in configuracao_geral.php. This affects all WeGIA users running versions before 3.5.1, potentially compromising user sessions and allowing client-side attacks.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, perform actions on behalf of authenticated users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Session hijacking, credential theft, or defacement of the WeGIA interface through injected content.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
Exploitation requires the attacker to trick a user into clicking a malicious link containing the XSS payload. The vulnerability is in a reflected XSS pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.1
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g6hr-2rhx-f8q4
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.5.1 or later from the official repository. 3. Replace the vulnerable configuracao_geral.php file with the patched version. 4. Verify the fix by checking the commit eddb9b134883cac5d0de770bfcca6e05bfcbd684 is applied.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the log parameter before processing.
Content Security Policy
allImplement strict CSP headers to prevent execution of inline scripts and restrict script sources.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious requests.
- Disable or restrict access to the configuracao_geral.php endpoint if not required for normal operations.
🔍 How to Verify
Check if Vulnerable:
Check if your WeGIA version is below 3.5.1 by examining the version file or interface. Test by attempting to inject a simple XSS payload like <script>alert('test')</script> into the log parameter.Check Version:
Check the version.txt file or login to WeGIA admin panel to see version information.Verify Fix Applied:
After patching, verify that XSS payloads no longer execute in the browser and that the log parameter is properly sanitized. Check that the commit eddb9b134883cac5d0de770bfcca6e05bfcbd684 is present in your codebase.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to configuracao_geral.php with script tags or JavaScript in parameters
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in the log parameter
- Unusual referrer headers pointing to malicious sites
SIEM Query:
source="web_server" AND uri="/configuracao_geral.php" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")