CVE-2025-54076 is a Reflected Cross-Site Scripting (XSS) vulnerability identified in the WeGIA web management application developed by LabRedesCefetRJ. WeGIA is an open-source platform primarily targeting Portuguese-speaking charitable institutions. The vulnerability exists in versions prior to 3.4.6 within the `pre_cadastro_atendido.php` endpoint, specifically in the handling of the `msg_e` parameter. Improper neutralization of input in this parameter allows an attacker to inject malicious scripts that are reflected back to the user without proper sanitization or encoding. This type of vulnerability falls under CWE-79, which concerns improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) shows that the attack can be launched remotely over the network without privileges and with low attack complexity, but requires user interaction (e.g., clicking a crafted link). The impact is primarily on confidentiality, as the attacker can execute scripts in the context of the victim’s browser, potentially stealing sensitive information such as session cookies or other private data. Integrity and availability are not directly affected. The vulnerability was fixed in version 3.4.6 of WeGIA. No known exploits are currently reported in the wild. Given the application’s focus on Portuguese language and charitable organizations, the user base is likely niche but sensitive. Attackers could leverage this vulnerability for phishing, session hijacking, or delivering malicious payloads to users interacting with the vulnerable endpoint.

For European organizations, the impact depends on the adoption of WeGIA within charitable or non-profit sectors, especially those serving Portuguese-speaking communities or collaborating with Portuguese institutions. If deployed, the vulnerability could allow attackers to compromise user sessions, steal confidential data, or conduct targeted phishing campaigns against donors, volunteers, or staff. This could lead to reputational damage, loss of trust, and potential data protection violations under GDPR if personal data is exposed. While the vulnerability does not affect system integrity or availability, the confidentiality breach risks are significant in environments handling sensitive donor or beneficiary information. Additionally, the requirement for user interaction means social engineering could be used to exploit the vulnerability, increasing the risk for less security-aware users. Organizations relying on WeGIA should consider the threat in the context of their user base and data sensitivity.

1. Immediate upgrade to WeGIA version 3.4.6 or later, where the vulnerability is patched, is the most effective mitigation. 2. Implement strict input validation and output encoding on all user-supplied data, especially parameters like `msg_e` that are reflected in responses. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Educate users about the risks of clicking on suspicious links and encourage cautious behavior to reduce the likelihood of successful social engineering. 5. Conduct regular security assessments and code reviews focused on input handling and sanitization practices within web applications. 6. Monitor web server logs for unusual request patterns targeting the vulnerable endpoint to detect potential exploitation attempts. 7. If upgrading immediately is not feasible, consider implementing web application firewall (WAF) rules to detect and block malicious payloads targeting the `msg_e` parameter.