nvd-json-data-feeds/CVE-2025/CVE-2025-226xx/CVE-2025-22613.json

{
  "id": "CVE-2025-22613",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2025-01-13T21:15:14.837",
  "lastModified": "2025-01-14T01:15:17.580",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `informacao_adicional.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the `descricao` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. The application fails to properly validate and sanitize user inputs in the `informacao_adicional.php` parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system. This issue has been addressed in version 3.2.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "WeGIA es un gestor web de c\u00f3digo abierto centrado en el idioma portugu\u00e9s y las instituciones ben\u00e9ficas. Se identific\u00f3 una vulnerabilidad Cross-Site Scripting Almacenado (XSS) en el `informacao_adicional.php` Endpoint de la aplicaci\u00f3n WeGIA. Esta vulnerabilidad permite a los atacantes inyectar Scripts maliciosos en el par\u00e1metro `descricao`. Los Scripts inyectados se almacenan en el servidor y se ejecutan autom\u00e1ticamente cada vez que los usuarios acceden a la p\u00e1gina afectada, lo que supone un riesgo de seguridad significativo. La aplicaci\u00f3n no puede validar y desinfectar correctamente las entradas del usuario en el par\u00e1metro `informacao_adicional.php`. Esta falta de validaci\u00f3n permite a los atacantes inyectar Scripts maliciosos, que luego se almacenan en el servidor. Cada vez que se accede a la p\u00e1gina afectada, el Payload malicioso se ejecuta en el navegador de la v\u00edctima, lo que puede comprometer los datos del usuario y sistema. Este problema se ha solucionado en la versi\u00f3n 3.2.6 y se recomienda a todos los usuarios que actualicen la versi\u00f3n. No se conocen Workarounds para esta vulnerabilidad."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "privilegesRequired": "NONE",
          "userInteraction": "ACTIVE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "subAvailabilityImpact": "HIGH",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirement": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "availabilityRequirement": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "valueDensity": "NOT_DEFINED",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "providerUrgency": "NOT_DEFINED"
        }
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/d47412372d94dc3ca26e6416b8315895c61224fa",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-fhpx-54ch-ccxh",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-fhpx-54ch-ccxh",
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"
    }
  ]
}