CVE-2025-67496 is a stored Cross-Site Scripting (XSS) vulnerability identified in WeGIA, an open-source web management system tailored primarily for Portuguese language institutions. The vulnerability exists in versions 3.5.4 and earlier, specifically in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application retrieves employee names from its database and injects them directly into HTML <option> elements within a dropdown menu without proper escaping or sanitization. This improper neutralization of input (CWE-79) allows an attacker with at least low privileges (PR:L) to insert malicious JavaScript payloads into employee name fields, which are then stored and rendered in the web interface. When other users access the affected page, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, or other client-side attacks. The CVSS 3.1 vector indicates network attack vector (AV:N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), and no integrity or availability impact (I:N, A:N). Although no known exploits have been reported in the wild, the vulnerability poses a risk to confidentiality through potential theft of sensitive session data or user information. The issue was resolved in version 3.5.5 by implementing proper input validation and output encoding to neutralize malicious scripts before rendering. Organizations using WeGIA should prioritize upgrading to the patched version to prevent exploitation.

For European organizations, the primary impact of this vulnerability lies in the potential compromise of user confidentiality through stored XSS attacks. Attackers could leverage this flaw to execute malicious scripts in the browsers of administrative or institutional users, potentially stealing session cookies, performing unauthorized actions on behalf of users, or conducting phishing attacks within the trusted application context. Although the vulnerability does not affect data integrity or system availability directly, the confidentiality breach can lead to further exploitation or lateral movement within the network. Institutions managing sensitive employee or institutional data are at risk of reputational damage and regulatory non-compliance, especially under GDPR, if personal data is exposed or misused. The medium CVSS score reflects the limited scope and impact but does not diminish the importance of timely remediation. Since WeGIA targets Portuguese language users, organizations in Portugal and Portuguese-speaking communities in Europe are particularly vulnerable. The risk extends to any European entity using WeGIA for institutional management, especially those with multiple users accessing the vulnerable endpoint.

To mitigate this vulnerability, organizations should immediately upgrade WeGIA to version 3.5.5 or later, where the issue is fixed. If upgrading is not immediately feasible, implement strict input validation and output encoding on all user-supplied data, especially employee names rendered in HTML option elements. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct a thorough audit of the employee database to identify and remove any malicious payloads that may have been injected prior to patching. Limit user privileges to reduce the risk of malicious input insertion and monitor logs for unusual activity related to the vulnerable endpoint. Additionally, educate users about the risks of XSS and encourage reporting of suspicious behavior. Regularly review and update web application security controls and perform penetration testing to detect similar vulnerabilities proactively.