WeGIA Reflected Cross-Site Scripting Vulnerability in Cargos.php Endpoint

A reflected cross-site scripting vulnerability has been identified in the WeGIA application, specifically in the cargos.php endpoint, prior to version 3.4.7. This vulnerability allows attackers to inject malicious scripts through the msg_e parameter, which are then executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the user's browser, potentially leading to theft of cookies, session tokens, or other sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the 'html/geral/cargos.php' endpoint with a payload script injected into the 'msg_e' parameter. The injected script will be executed in the context of the user's browser.

Remediation

Users can upgrade to WeGIA version 3.4.7 or later to address this vulnerability.