CVE-2025-67496
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML <option> elements without proper escaping. This issue is fixed in version 3.5.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67496
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wegia wegia to 3.5.5 (inc)
wegia web_manager 3.5.4
wegia web_manager 3.5.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in WeGIA versions 3.5.4 and below. It occurs in the /WeGIA/html/geral/configurar_senhas.php endpoint where employee names retrieved from the database are injected directly into HTML <option> elements without proper sanitization or escaping. This allows an attacker to inject malicious scripts that get stored and executed in users' browsers when they view the affected page. The issue is fixed in version 3.5.5.

Impact Analysis

The Stored XSS vulnerability can allow attackers to execute malicious scripts in the context of the affected web application. This can lead to theft of user session data, unauthorized actions performed on behalf of users, or other malicious activities within the application. Since the vulnerability has a CVSS base score of 4.3 with low privileges required and no user interaction needed, it poses a moderate risk to users of the affected WeGIA versions.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the WeGIA application to version 3.5.5 or later, where the Stored Cross-Site Scripting (XSS) issue in the /WeGIA/html/geral/configurar_senhas.php endpoint has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart