CVE-2025-57764 is a Reflected Cross-Site Scripting (XSS) vulnerability identified in the WeGIA web management application developed by LabRedesCefetRJ, specifically affecting versions prior to 3.4.7. The vulnerability resides in the cargos.php endpoint, where the 'msg_e' parameter fails to properly neutralize user-supplied input before reflecting it back in the web page. This improper input sanitization allows an attacker to inject malicious JavaScript code that executes in the context of a victim's browser when they visit a crafted URL. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) shows that the attack can be launched remotely over the network without privileges, requires low attack complexity, no authentication, but does require user interaction (clicking a malicious link). The impact primarily affects confidentiality, as the attacker can steal sensitive information accessible via the victim's browser, such as session cookies or other data, but does not affect integrity or availability. There are no known exploits in the wild at the time of publication, and the issue is resolved in version 3.4.7 of WeGIA. This vulnerability is particularly relevant to organizations using WeGIA to manage charitable institution data, as exploitation could lead to unauthorized data disclosure or session hijacking through social engineering techniques.

For European organizations using WeGIA, this vulnerability poses a risk of client-side data theft and session hijacking, potentially exposing sensitive information related to charitable institution management. Since WeGIA is a specialized tool, the impact is concentrated on organizations in the nonprofit sector that rely on this software. Successful exploitation could lead to unauthorized access to user accounts or leakage of confidential data, undermining trust and compliance with data protection regulations such as GDPR. Although the vulnerability does not directly compromise server integrity or availability, the confidentiality breach could have legal and reputational consequences. Additionally, attackers could leverage this vulnerability as a foothold for further social engineering or phishing campaigns targeting employees or stakeholders of affected organizations.

To mitigate this vulnerability, European organizations should immediately upgrade WeGIA to version 3.4.7 or later, where the issue is fixed. If immediate upgrading is not feasible, organizations should implement strict input validation and output encoding on the 'msg_e' parameter at the web application firewall (WAF) or reverse proxy level to block malicious script payloads. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in browsers. User awareness training should emphasize caution when clicking on unexpected links, especially those related to WeGIA. Regular security testing, including automated scanning for XSS vulnerabilities and code reviews, should be integrated into the software maintenance lifecycle. Monitoring web server logs for suspicious requests targeting cargos.php with unusual 'msg_e' parameter values can help detect attempted exploitation attempts early.