LabRedesCefetRJ WeGIA Cross-Site Scripting Vulnerability in Adicionar Unidade Component

A stored cross-site scripting vulnerability has been identified in LabRedesCefetRJ WeGIA version 3.4.0. This issue resides in the Adicionar Unidade component, specifically within the file '/html/matPat/adicionar_unidade.php'. The vulnerability is triggered by manipulating the 'Insira a nova unidade' argument, allowing the injection of malicious JavaScript that is executed when the product registration interface is accessed. This flaw results from inadequate input validation or sanitization, posing a risk of session hijacking and other client-side attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log into the WeGIA platform and navigate to 'Material e Patrimônio > Entrada > Registrar Entrada'. Once on the 'Cadastro de Produto' page, click the '+' button under the 'Unidade' tab to access the 'Adicionar Unidade' page. Here, register a new unit by entering a script payload, such as a JavaScript alert, into the unit name field. After submitting the form, the injected script will execute each time the 'Cadastro de Produto' page is loaded, demonstrating the stored cross-site scripting vulnerability.