CVE-2025-22597 is a high-severity stored Cross-Site Scripting (XSS) vulnerability identified in the WeGIA web management application developed by LabRedesCefetRJ, which is used primarily by charitable institutions. The vulnerability exists in the CobrancaController.php endpoint, specifically in the handling of the local_recepcao parameter. An attacker can inject malicious JavaScript code into this parameter, which is then stored persistently on the server. When other users access the affected page, the malicious script executes in their browsers without their knowledge. This type of stored XSS can lead to a range of attacks including session hijacking, credential theft, unauthorized actions on behalf of users, and distribution of malware. The vulnerability is exploitable remotely over the network without requiring authentication, but it does require user interaction in the form of visiting the compromised page. The CVSS 3.1 base score is 8.3, reflecting high impact on confidentiality and integrity with low impact on availability. The vulnerability affects all versions of WeGIA prior to 3.2.8, where the issue has been fixed. No known exploits are currently reported in the wild, but the nature of stored XSS vulnerabilities makes them attractive targets for attackers due to their persistence and potential for widespread impact once exploited. The root cause is improper neutralization of user input during web page generation, a classic CWE-79 issue, indicating insufficient input validation or output encoding in the affected parameter. Organizations using WeGIA versions below 3.2.8 are at risk and should prioritize patching to mitigate this threat.

For European organizations, especially charitable institutions or NGOs using the WeGIA platform, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive user data, including personal information of donors or beneficiaries, potentially violating GDPR and other privacy regulations. The stored XSS could be used to hijack user sessions, enabling attackers to impersonate legitimate users and perform unauthorized transactions or data modifications. This undermines trust in the organization and could result in reputational damage, financial loss, and regulatory penalties. Additionally, the vulnerability could be leveraged to distribute malware or conduct phishing attacks targeting users of the platform. Given the cross-border nature of many charitable organizations in Europe, the impact could extend beyond a single country, affecting multiple stakeholders. The requirement for user interaction (visiting the compromised page) means that social engineering or phishing campaigns could be used to increase exploitation success. The lack of known exploits in the wild currently provides a window for proactive mitigation before widespread attacks occur.

1. Immediate upgrade of WeGIA installations to version 3.2.8 or later, where the vulnerability is patched, is the most effective mitigation. 2. Implement strict input validation and output encoding for all user-supplied data, especially parameters like local_recepcao, to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, reducing the impact of potential XSS attacks. 4. Conduct regular security audits and code reviews focusing on input handling and sanitization practices. 5. Educate users and administrators about the risks of clicking on suspicious links or visiting untrusted pages within the application. 6. Monitor web server logs and application behavior for unusual activities that may indicate attempted exploitation. 7. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting WeGIA endpoints. 8. Ensure proper session management and implement multi-factor authentication to limit the damage from compromised sessions. These measures combined will reduce the risk and impact of exploitation beyond simply applying the patch.