CVE-2025-62359 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, discovered in the WeGIA web management application developed by LabRedesCefetRJ. WeGIA is an open-source platform primarily targeting Portuguese language users for institutional web management. The vulnerability affects versions prior to 3.5.0 and is located in the /pet/profile_pet.php endpoint, specifically in the id_pet parameter. Due to improper neutralization of input during web page generation, an attacker can craft a malicious URL containing JavaScript code injected into the id_pet parameter. When a victim accesses this URL, the injected script executes in the context of the victim’s browser, potentially leading to unauthorized actions such as session hijacking, credential theft, or redirection to malicious websites. The CVSS 4.0 vector indicates the attack is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) or user interaction (UI:N), and impacts confidentiality, integrity, and availability to a limited extent (VC:N, VI:N, VA:N). The vulnerability is considered medium severity with a CVSS score of 5.3. No public exploits have been reported yet, but the vulnerability is publicly disclosed and fixed in version 3.5.0 of WeGIA. The root cause is insufficient input validation and output encoding on the id_pet parameter, which fails to sanitize malicious script payloads. This vulnerability highlights the importance of secure coding practices, especially in web applications handling user-supplied input. Organizations using WeGIA should upgrade to the latest version and review their input handling and output encoding mechanisms to prevent similar issues.

For European organizations using WeGIA, particularly those in educational or institutional sectors serving Portuguese-speaking users, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute arbitrary scripts in users’ browsers, leading to session hijacking, unauthorized actions, or phishing attacks. This can compromise user confidentiality and trust, potentially resulting in data leakage or reputational damage. Although the vulnerability does not directly impact system availability or integrity, the indirect effects of compromised user sessions or defacement can disrupt operations. Given the medium CVSS score and lack of required user interaction, the attack surface is relatively broad, especially if users can be tricked into clicking malicious links. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits post-disclosure. European organizations with public-facing WeGIA instances should consider the potential for targeted attacks, especially in countries with higher adoption or strategic interest in Portuguese language institutional tools. Failure to patch could expose these organizations to web-based attacks that undermine user security and organizational credibility.

The primary mitigation is to upgrade all WeGIA instances to version 3.5.0 or later, where the vulnerability is fixed. Organizations should audit their current deployments to identify affected versions and prioritize patching. Beyond patching, implement strict input validation on all user-supplied parameters, especially those reflected in web pages, to reject or sanitize potentially malicious input. Employ context-aware output encoding (e.g., HTML entity encoding) to neutralize scripts before rendering. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. Regularly conduct security testing, including automated scanning and manual code reviews, to detect similar injection flaws. Educate users about the risks of clicking suspicious links and encourage cautious behavior. Finally, monitor web server logs and application behavior for unusual requests targeting the vulnerable endpoint to detect potential exploitation attempts early.