CVE-2025-6694 is a cross-site scripting (XSS) vulnerability identified in version 3.4.0 of the LabRedesCefetRJ WeGIA product. The vulnerability exists in the /html/matPat/adicionar_unidade.php file within the 'Adicionar Unidade' component. Specifically, the issue arises from improper sanitization or validation of the input parameter labeled 'Insira a nova unidade'. An attacker can remotely manipulate this argument to inject malicious scripts that execute in the context of the victim's browser. This type of vulnerability allows attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability is classified as 'problematic' and has a CVSS v4.0 base score of 5.1, indicating a medium severity level. The vector details show that the attack can be performed remotely (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but does require user interaction (UI:P). The impact on confidentiality is none, low on integrity, and none on availability. The vendor has been contacted but has not responded or provided a patch, and no known exploits are currently reported in the wild, although the exploit details have been publicly disclosed. This lack of vendor response and public disclosure increases the risk of exploitation over time. The vulnerability affects only version 3.4.0 of WeGIA, which is a product developed by LabRedesCefetRJ, likely used in academic or research environments given the vendor's profile. The vulnerability is limited to a specific web application component, but due to the nature of XSS, it can be leveraged for a range of attacks against users of the affected system.

For European organizations using LabRedesCefetRJ WeGIA 3.4.0, this vulnerability could lead to targeted attacks against users of the affected web application. Although the direct impact on system confidentiality and availability is low, successful exploitation could compromise user sessions, steal credentials, or facilitate phishing attacks by injecting malicious scripts. This can lead to reputational damage, loss of user trust, and potential regulatory consequences under GDPR if personal data is compromised. Organizations in education, research, or institutions that deploy WeGIA may face increased risk, especially if the application is accessible over the internet. The medium severity score reflects that while the vulnerability is not critical, it still poses a meaningful threat that could be exploited in combination with other vulnerabilities or social engineering. The absence of a vendor patch and public exploit disclosure heightens the urgency for mitigation. European entities relying on this software should be aware of the potential for exploitation and the implications for user security and compliance.

Given the lack of an official patch, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and output encoding on the 'Insira a nova unidade' parameter at the web application firewall (WAF) or reverse proxy level to block malicious payloads. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Conduct thorough code reviews and, if possible, implement temporary manual sanitization of inputs within the affected PHP file until an official patch is released. 4) Limit user privileges and enforce least privilege principles to reduce the impact of any successful XSS attack. 5) Educate users about phishing risks and suspicious links, as user interaction is required for exploitation. 6) Monitor web server logs for unusual input patterns or repeated attempts to exploit the vulnerability. 7) Isolate the affected application from critical internal networks to contain potential breaches. 8) Engage with the vendor persistently for patch development and subscribe to vulnerability advisories for updates.