CVE-2025-23034 MEDIUM

CVE-2025-23034: Cross-Site Scripting (XSS) Reflected endpoint 'tags.php' parameter 'msg_e' in WeGIA

Vendor Labredescefetrj

Product WeGIA

Weakness CWE-79 · XSS

Published January 13, 2025

Last update January 14, 2025

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `tags.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the `msg_e` parameter. The application fails to validate and sanitize user inputs in the `msg_e` parameter. This lack of validation permits the injection of malicious payloads, which are reflected back to the user's browser in the server's response and executed within the context of the victim's browser. This issue has been addressed in version 3.2.6. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

January 13, 2025 CVE published

January 14, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-23034 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2025-23034: Cross-Site Scripting (XSS) Reflected endpoint 'tags.php' parameter 'msg_e' in WeGIA

01Description

02Disclosure timeline

03References

04Related CVE