CVE-2025-57765 in WeGIA
Summary
by MITRE • 08/21/2025
WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the pre_cadastro_adotante.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.4.7.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/21/2025
The WeGIA web application serves as a management platform for charitable institutions, handling sensitive data related to adoption processes and donor information. This application processes user inputs through various endpoints to manage institutional operations and maintain records of charitable activities. The vulnerability exists within the pre_cadastro_adotante.php endpoint which is responsible for processing adoption candidate registrations and related messaging functionality. The application's input validation mechanisms fail to properly sanitize user-supplied data before rendering it in web responses, creating a dangerous condition that can be exploited by malicious actors.
The reflected cross-site scripting vulnerability specifically manifests in the msg_e parameter handling within the pre_cadastro_adotante.php endpoint. When user input is passed through this parameter without adequate sanitization or encoding, malicious scripts can be injected and subsequently executed in the context of other users' browsers who access the vulnerable page. This type of vulnerability falls under CWE-79 which defines the weakness of cross-site scripting in web applications. The attack occurs when an attacker crafts a malicious URL containing script code in the msg_e parameter and delivers it to victims through social engineering techniques such as phishing emails or compromised websites.
The operational impact of this vulnerability is significant for charitable institutions using WeGIA, as it can lead to unauthorized access to sensitive adoption records and donor information. Attackers could potentially execute malicious scripts that steal session cookies, redirect users to fraudulent websites, or perform actions on behalf of authenticated users. The reflected nature of this XSS means that the malicious payload is immediately reflected back to the user's browser without being stored on the server, making it particularly dangerous for targeted attacks. This vulnerability directly impacts the confidentiality and integrity of the charitable institution's data management system, potentially compromising the privacy of adoption candidates and donor information.
Mitigation strategies should focus on implementing proper input validation and output encoding mechanisms throughout the application's codebase. The fix in version 3.4.7 demonstrates the importance of sanitizing all user-supplied input before processing or displaying it in web responses. Organizations should implement Content Security Policy headers to limit script execution and establish proper parameter validation routines that filter out potentially malicious content. Additionally, regular security testing including automated vulnerability scanning and manual penetration testing should be conducted to identify similar issues in other endpoints. This vulnerability aligns with ATT&CK technique T1531 which describes the use of cross-site scripting to manipulate web applications and potentially gain unauthorized access to sensitive data. The remediation process should also include comprehensive code reviews to ensure all input parameters are properly validated and that the application follows secure coding practices as recommended by OWASP and other industry security standards.