WeGIA Stored Cross-Site Scripting Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in WeGIA versions prior to 3.2.8. This issue allows unauthorized scripts to be executed in the user's browser. The vulnerability is stored on the server and executed whenever the compromised page is loaded, impacting all users who access it. The issue was found in the 'documentos_funcionario.php' file, specifically within the 'id' parameter.

Impact

Exploitation allows for the injection and storage of malicious JavaScript that executes for all users on the affected page. This could lead to theft of sensitive information like session cookies and authentication tokens, redirection to malicious sites, manipulation of the application's interface for phishing or social engineering attacks, and a compromise of the application's integrity, severely affecting user experience and security.

Reproduction

To reproduce this vulnerability, insert a script payload, such as an alert script, into the 'id' parameter of the 'documentos_funcionario.php' page and save the changes. The injected script will be executed for any user accessing the page, confirming the stored XSS.

Remediation

Users can update to WeGIA version 3.2.8 or later to address this vulnerability.