Featured image of post CVE-2025-22132
XSS File Upload Moderate WeGia Security WebApp

CVE-2025-22132

Cross-Site Scripting (XSS) in File Upload

CVE-2025-22132: Cross-Site Scripting (XSS) in File Upload Field

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-22132

Vendor

WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions.

https://www.wegia.org

https://sol.sbc.org.br/index.php/latinoware/article/view/31544

Affected Product Code Base

WeGIA < v3.2.0

Vulnerability Description

A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the following endpoint:

/WeGIA/html/socio/sistema/controller/controla_xlsx.php

POC

After capturing the file upload request from /WeGIA/html/socio/sistema/controller/controla_xlsx.php, simply change the uploaded file type to .php%00, insert the payload into the content and send the request.

1
2
3

<script>
    alert('XSS Exploited!');
</script>

Once uploaded, open the file in /WeGIA/html/socio/sistema/tabelas/xss.php_00

Reference

https://www.cve.org/CVERecord?id=CVE-2025-22132

Discoverer

Natan Maia Morette

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy