CVE-2025-53525 is a Reflected Cross-Site Scripting (XSS) vulnerability identified in the WeGIA web application, a management platform designed for charitable institutions developed by LabRedesCefetRJ. The vulnerability exists in the profile_familiar.php endpoint, specifically in the handling of the id_dependente parameter. Due to improper neutralization of input during web page generation (CWE-79), an attacker can inject malicious scripts that are reflected back to the user without proper sanitization or encoding. This allows execution of arbitrary JavaScript in the context of the victim's browser session. The vulnerability affects all versions of WeGIA prior to 3.4.3, where it has been fixed. The CVSS 4.0 base score is 2, indicating a low severity level. The vector indicates that the attack can be performed remotely over the network without authentication (AV:N, PR:N), requires no privileges, and no user interaction is needed (UI:A), but the impact on confidentiality, integrity, and availability is minimal (VC:N, VI:N, VA:N). The scope is limited (SC:L), and the exploitability is partial (E:P). No known exploits are currently in the wild. The vulnerability primarily allows attackers to execute scripts in the victim’s browser, which could lead to session hijacking, phishing, or defacement, but the impact is limited by the nature of the application and the low CVSS score.

For European organizations, the impact of this vulnerability depends on the adoption of the WeGIA platform within charitable institutions. Since WeGIA is targeted at managing charitable organizations, exploitation could lead to unauthorized script execution in users’ browsers, potentially compromising user sessions or stealing sensitive information such as cookies or tokens. This could undermine trust in the affected organizations and lead to reputational damage. However, the direct impact on core organizational IT infrastructure is limited, as the vulnerability does not allow for server-side compromise or data exfiltration directly. The low CVSS score reflects the limited impact and ease of exploitation. Nonetheless, given the sensitive nature of charitable organizations, even low-severity vulnerabilities can be leveraged for social engineering or targeted attacks against donors or beneficiaries. European organizations using versions prior to 3.4.3 should prioritize patching to prevent such risks.

1. Immediate upgrade of the WeGIA application to version 3.4.3 or later, where the vulnerability is patched. 2. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the id_dependente parameter, focusing on common XSS attack patterns. 3. Conduct regular security assessments and code reviews for custom or third-party web applications, especially those handling user input in dynamic web pages. 4. Educate users and administrators of charitable organizations about the risks of XSS and encourage cautious behavior when clicking on links or submitting data. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the WeGIA platform, reducing the impact of potential XSS attacks. 6. Monitor web server logs and application logs for unusual requests or error patterns related to the vulnerable endpoint to detect attempted exploitation.