WeGIA Stored Cross-Site Scripting Vulnerability in cadastrarSocio.php Endpoint

A stored cross-site scripting vulnerability has been identified in the WeGIA application, specifically within the cadastrarSocio.php endpoint. This issue allows attackers to inject malicious scripts into the local_recepcao parameter. The injected scripts are stored on the server and executed automatically when the affected page is accessed by users, creating a significant security risk. This vulnerability affects WeGIA versions prior to 3.2.7 and has been patched in version 3.2.8.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the page, potentially leading to session hijacking, credential theft, and other browser-based attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the /html/contribuicao/php/cadastrarSocio.php endpoint with a payload containing a script tag, such as <script>alert(1)</script>, in the local_recepcao parameter. The injected script will be executed automatically when the page is accessed by users.

Remediation

Users can update to WeGIA version 3.2.8 to address this vulnerability.