WeGIA Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in WeGIA, a web management application for charitable institutions, affecting versions prior to 3.2.8. This vulnerability allows unauthorized scripts to be executed in the user's browser context. The malicious code is permanently stored on the server and executed whenever the compromised page is loaded, impacting all users who access it. The issue was found in 'html/personalizacao.php', specifically within the 'titulo', 'subtitulo', 'conheça', 'objetivo', and 'rodape' parameters.

Impact

The vulnerability allows injected scripts to be executed in the context of the user's browser, affecting all users who access the compromised pages. Additionally, administrators interacting with the vulnerable fields could face account takeover risks if sensitive cookies or session tokens are stolen.

Reproduction

To reproduce this vulnerability, insert a script payload, such as a JavaScript alert, into one of the vulnerable fields on 'personalizacao.php' and save the changes. The injected script will be executed for any user accessing the home page or 'personalizacao.php', confirming the stored XSS.

Remediation

Users can update to WeGIA version 3.2.8 or later to address this vulnerability.