CVE-2025-30366

WeGIA is a Web manager for charitable institutions. Versions prior to 3.2.8 are vulnerable to stored cross-site scripting. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page. Version 3.2.8 fixes the issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pwr9-fr8r-8h48	Exploit Vendor Advisory
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pwr9-fr8r-8h48	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-27 17:15

Updated : 2025-04-10 14:51

NVD link : CVE-2025-30366

Mitre link : CVE-2025-30366

CVE.ORG link : CVE-2025-30366

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-30366", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-27T17:15:58.047", "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pwr9-fr8r-8h48", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pwr9-fr8r-8h48", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "WeGIA is a Web manager for charitable institutions. Versions prior to 3.2.8 are vulnerable to stored cross-site scripting. This vulnerability allows unauthorized scripts to be executed within the user's browser context. Stored XSS is particularly critical, as the malicious code is permanently stored on the server and executed whenever a compromised page is loaded, affecting all users accessing this page. Version 3.2.8 fixes the issue."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones ben\u00e9ficas. Las versiones anteriores a la 3.2.8 son vulnerables a cross-site scripting almacenado. Esta vulnerabilidad permite la ejecuci\u00f3n de scripts no autorizados en el navegador del usuario. El XSS almacenado es especialmente cr\u00edtico, ya que el c\u00f3digo malicioso se almacena permanentemente en el servidor y se ejecuta cada vez que se carga una p\u00e1gina comprometida, afectando a todos los usuarios que acceden a ella. La versi\u00f3n 3.2.8 corrige el problema."}], "lastModified": "2025-04-10T14:51:47.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DDD2AC7-FB66-4368-821D-B4BA30BD83D6", "versionEndExcluding": "3.2.8"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}