CVE-2025-57762

WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, there is a Stored Cross-Site Scripting (XSS) vulnerability in the dependente_docdependente.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the nome parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.4.7.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/commit/fb1ab404c564e4dce32796b4b68cd192731207f3	Patch
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-494r-43f3-p828	Exploit Vendor Advisory
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-494r-43f3-p828	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-21 17:15

Updated : 2025-08-22 21:12

NVD link : CVE-2025-57762

Mitre link : CVE-2025-57762

CVE.ORG link : CVE-2025-57762

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-57762", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-21T17:15:31.977", "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/fb1ab404c564e4dce32796b4b68cd192731207f3", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-494r-43f3-p828", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-494r-43f3-p828", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, there is a Stored Cross-Site Scripting (XSS) vulnerability in the dependente_docdependente.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the nome parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.4.7."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones ben\u00e9ficas. En versiones anteriores a la 3.4.7, exist\u00eda una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en el endpoint dependente_docdependente.php de la aplicaci\u00f3n WeGIA. Esta vulnerabilidad permite a los atacantes inyectar scripts maliciosos en el par\u00e1metro nome. Los scripts inyectados se almacenan en el servidor y se ejecutan autom\u00e1ticamente cada vez que los usuarios acceden a la p\u00e1gina afectada, lo que supone un riesgo de seguridad significativo. Esta vulnerabilidad se corrigi\u00f3 en la 3.4.7."}], "lastModified": "2025-08-22T21:12:45.760", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DA7B47E-6DE6-4877-8208-AF317856A44D", "versionEndExcluding": "3.4.7"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}