Cross-site scripting in WeGIA - CVE-2025-62358
Published: April 23, 2026
Vulnerability identifier: #VU127271
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2025-62358
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the /html/configuracao/configuracao_geral.php endpoint when handling the log parameter. A remote attacker can send a specially crafted URL to execute arbitrary JavaScript in the victim's browser.
If the victim is logged in and the session cookie is not flagged HttpOnly, exploitation can lead to session hijacking and account takeover. User interaction is required to open the crafted URL.
How to mitigate CVE-2025-62358
Install security update from vendor's website.