CVE-2025-53936: Cross-Site Scripting (XSS) Reflected endpoint personalizacao_selecao.php parameter nome_car

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-53936

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the personalizacao_selecao.php endpoint of the WeGia application. This vulnerability allows attackers to inject malicious scripts into the nome_car parameter.

Details

Vulnerable Endpoint: POST /html/personalizacao_selecao.php

Parameter: nome_car

PoC

Payload:

1

  "><img src=x onerror=alert('XSS-PoC5')>

Impact

• Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
• Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
• Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
• Stealing credentials: Attackers can steal a user's credentials.
• Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
• Defacing websites: Attackers can deface a website by altering its content.
• Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
• Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.

Reference

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-34vc-q923-v26p

Finder

Marcelo Queiroz

Contributor

Natan Maia Morette

By: CVE-Hunters