CVE-2025-62359
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in WeGIA versions before 3.5.0 allows attackers to inject malicious scripts via the id_pet parameter in the /pet/profile_pet.php endpoint. This could enable session hijacking, phishing, or defacement for users who access a crafted link. Affected users are those running WeGIA instances with the vulnerable endpoint exposed.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal user sessions, perform actions as authenticated users, or redirect to malicious sites, potentially leading to data theft or account compromise.
Likely Case
Attackers execute limited JavaScript in victims' browsers, such as stealing cookies or displaying phishing content, requiring user interaction with a malicious link.
If Mitigated
With input validation and output encoding, the risk is minimal; exploitation fails, and user sessions remain protected.
🎯 Exploit Status
Exploitation requires crafting a malicious URL with script payloads in the id_pet parameter and tricking users into clicking it; no authentication is needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.0
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-68mw-h9q4-j34f
Restart Required: No
Instructions:
1. Backup your WeGIA installation and database. 2. Download and install WeGIA version 3.5.0 or later from the official repository. 3. Replace the vulnerable files, particularly /pet/profile_pet.php, with the patched version. 4. Verify the fix by testing the endpoint with XSS payloads.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to sanitize the id_pet parameter, rejecting or encoding malicious input.
Modify /pet/profile_pet.php to use functions like htmlspecialchars() or filter_var() on the id_pet parameter before processing.
Web Application Firewall (WAF) Rules
allConfigure WAF to block requests containing script tags or suspicious patterns in the id_pet parameter.
Add a rule to block requests with patterns like <script> or javascript: in the query string.
🧯 If You Can't Patch
- Restrict access to the /pet/profile_pet.php endpoint using network controls or authentication.
- Implement Content Security Policy (CSP) headers to mitigate script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Test by accessing /pet/profile_pet.php?id_pet=<script>alert('XSS')</script> and check if the script executes in the browser.Check Version:
Check the WeGIA version in the application interface or by examining configuration files for version strings.Verify Fix Applied:
After patching, repeat the test; the script should be encoded or blocked, with no execution.📡 Detection & Monitoring
Log Indicators:
- Log entries showing requests to /pet/profile_pet.php with suspicious parameters containing script tags or encoded payloads.
Network Indicators:
- HTTP requests with malicious strings in the id_pet parameter, detectable via network monitoring tools.
SIEM Query:
source="web_logs" AND uri="/pet/profile_pet.php" AND query CONTAINS "<script>" OR query CONTAINS "javascript:"