CVE-2025-53824

CVE-2025-53824: Cross-Site Scripting (XSS) Reflected endpoint `cadastro_pet.php` parameter `msg`

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-53824

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cadastro_pet.php endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the msg parameter.

Details

Vulnerable Endpoint: GET html/pet/cadastro_pet.php

Parameter: msg

PoC

Payload:

1
  ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Impact

Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
Stealing credentials: Attackers can steal a user's credentials.
Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
Defacing websites: Attackers can deface a website by altering its content.
Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.