CVE-2025-54077 is a Reflected Cross-Site Scripting (XSS) vulnerability identified in the WeGIA web management application developed by LabRedesCefetRJ. WeGIA is an open-source platform primarily targeting Portuguese-speaking charitable institutions. The vulnerability exists in versions prior to 3.4.6 within the 'personalizacao.php' endpoint, specifically in the handling of the 'err' parameter. Improper neutralization of input allows attackers to inject malicious JavaScript code that is reflected back to the user without proper sanitization or encoding. This type of vulnerability falls under CWE-79, which concerns improper input validation during web page generation. Exploiting this vulnerability requires no authentication but does require user interaction, as the victim must visit a crafted URL containing the malicious payload. The CVSS v3.1 base score is 6.5 (medium severity), with an attack vector of network (remote), low attack complexity, no privileges required, user interaction required, and high impact on confidentiality but no impact on integrity or availability. The vulnerability enables attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to theft of sensitive information such as session cookies, personal data, or other confidential information accessible via the browser. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and fixed in version 3.4.6 of WeGIA. Organizations using affected versions should prioritize upgrading to the patched release to mitigate risk.

For European organizations, especially those operating charitable or non-profit institutions that use WeGIA, this vulnerability poses a significant risk to the confidentiality of user data. Successful exploitation could lead to session hijacking, unauthorized access to user accounts, or exposure of sensitive personal information. Given WeGIA's focus on Portuguese language users, organizations in Portugal and other Lusophone communities in Europe may be particularly affected. The reflected XSS could also be leveraged in phishing campaigns targeting employees or donors, undermining trust and potentially causing reputational damage. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach could have regulatory implications under GDPR, leading to legal and financial consequences. The medium severity rating reflects the balance between ease of exploitation and the scope of impact, but the risk is heightened if the application handles sensitive donor or beneficiary data.

1. Immediate upgrade to WeGIA version 3.4.6 or later, which contains the patch fixing the XSS vulnerability. 2. Implement strict input validation and output encoding on all user-supplied data, especially parameters reflected in web pages such as 'err'. Use context-aware encoding (e.g., HTML entity encoding) to prevent script injection. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Conduct regular security code reviews and penetration testing focusing on input handling and injection flaws. 5. Educate users and administrators about phishing risks associated with XSS attacks and encourage cautious behavior when clicking on links from untrusted sources. 6. Monitor web application logs for suspicious requests targeting the vulnerable endpoint to detect potential exploitation attempts. 7. If upgrading immediately is not feasible, consider temporary mitigations such as web application firewall (WAF) rules to block malicious payloads targeting the 'err' parameter.