CVE-2025-67496

Опубликовано: 09 дек. 2025

Источник: nvd

CVSS3: 4.3

CVSS3: 5.4

EPSS Низкий

Описание

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML elements without proper escaping. This issue is fixed in version 3.5.5.

Ссылки

https://github.com/LabRedesCefetRJ/WeGIA/commit/c80b8cacd310fd459df61c030fb267c5e68cafc7
Patch
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.5.5
Release Notes
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9843-qm67-73h2
Exploit
Vendor Advisory
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9843-qm67-73h2
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

Версия до 3.5.5 (исключая)

EPSS

Процентиль: 10%

0.00035

Низкий

4.3 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

EPSS

Процентиль: 10%

0.00035

Низкий

4.3 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79