CVE-2025-22132

Published: Jan 7, 2025Modified: Feb 13, 2025

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7.

Affected (1)

Products: Wegia: Wegia

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wegia Wegia	Before 3.2.7

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/nilsonLazarin/WeGIA/commit/330f641db43cfb0c8ea8bb6025cc0732de4d4d6b

Source: security-advisories@github.com

Patch

https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-h8hr-jhcx-fcv9

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.