WeGIA Reflected Cross-Site Scripting Vulnerability in personalizacao_selecao.php Endpoint

A reflected cross-site scripting vulnerability has been identified in the WeGIA application, specifically in the personalizacao_selecao.php endpoint, for versions prior to 3.4.5. This vulnerability allows attackers to inject malicious scripts through the nome_car parameter. The issue arises because the application does not properly validate and sanitize user inputs, enabling the injection of harmful payloads that are executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser. This can lead to various consequences, such as stealing cookies, manipulating account information, or executing malicious code on the user's device.

Reproduction

To reproduce this vulnerability, send a POST request to the personalizacao_selecao.php endpoint with a payload in the nome_car parameter that includes a script injection, such as an image tag with an error event handler. The injected script will be reflected in the response and executed in the browser.

Remediation

Users can upgrade to WeGIA version 3.4.5 or later to address this vulnerability.