CVE-2025-22597
Published: 10 January 2025
Summary
CVE-2025-22597 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wegia Wegia. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Portal Capture (T1056.003); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input sanitization in the CobrancaController.php endpoint by validating the local_recepcao parameter to block malicious script injection.
Filters and encodes output on the affected page to prevent execution of stored malicious scripts in users' browsers.
Ensures timely identification, testing, and patching of the stored XSS flaw as demonstrated by the fix in WeGIA version 3.2.8.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables browser-based input capture (keystroke logging), session hijacking via cookie theft, and web session cookie exfiltration in victim context.
NVD Description
WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the CobrancaController.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the local_recepcao parameter. The injected scripts are…
more
stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.8.
Deeper analysisAI
CVE-2025-22597 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting the WeGIA web application, which serves as a manager for charitable institutions. The flaw resides in the CobrancaController.php endpoint, where attackers can inject malicious scripts via the local_recepcao parameter. These scripts are persistently stored on the server and automatically execute whenever the affected page is accessed by users. The vulnerability carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L) and was published on 2025-01-10.
An unauthenticated attacker accessible over the network can exploit this vulnerability with low complexity by submitting crafted input to the vulnerable endpoint, requiring subsequent user interaction such as viewing the affected page. Successful exploitation triggers execution of the injected scripts in the context of the victim's browser, potentially leading to high confidentiality and integrity impacts, such as theft of session cookies, keystroke logging, or account takeover, alongside limited availability disruption.
The GitHub Security Advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mgj3-g922-2r9v details the issue and confirms mitigation through an upgrade to WeGIA version 3.2.8, which addresses the improper input sanitization in the affected endpoint.
Details
- CWE(s)