CVE-2025-27418

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the adicionar_tipo_atendido.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the tipo parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.16.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/commit/e2f258cc8fed8b7e5850114ce6e74bd9ba4f397f	Patch
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg	Exploit Third Party Advisory
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

History

10 Apr 2025, 18:37

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wegia:wegia::::::::
Summary		(es) WeGIA es un gestor web de código abierto para instituciones enfocado en los usuarios de lengua portuguesa. Se identificó una vulnerabilidad de cross-site scripting (XSS) almacenado en el endpoint adicionar_tipo_atendido.php de la aplicación WeGIA. Esta vulnerabilidad permite a los atacantes inyectar secuencias de comandos maliciosas en el parámetro tipo. Las secuencias de comandos inyectadas se almacenan en el servidor y se ejecutan automáticamente cada vez que los usuarios acceden a la página afectada, lo que supone un riesgo de seguridad significativo. Esta vulnerabilidad se corrigió en la versión 3.2.16.
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/commit/e2f258cc8fed8b7e5850114ce6e74bd9ba4f397f -~~	() https://github.com/LabRedesCefetRJ/WeGIA/commit/e2f258cc8fed8b7e5850114ce6e74bd9ba4f397f - Patch
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg -~~	() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg - Exploit, Third Party Advisory
First Time		Wegia Wegia wegia
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4

04 Mar 2025, 17:15

Type	Values Removed	Values Added
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg -~~	() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ffcg-qr75-98mg -

03 Mar 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-03 16:15

Updated : 2025-04-10 18:37

NVD link : CVE-2025-27418

Mitre link : CVE-2025-27418

CVE.ORG link : CVE-2025-27418

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10