LabRedesCefetRJ WeGIA Cross-Site Scripting Vulnerability in Cadastro_Atendido.php

A stored cross-site scripting vulnerability has been identified in LabRedesCefetRJ WeGIA version 3.4.0. The issue resides in the 'Cadastro de Atendio' component, specifically within the 'Cadastro_Atendido.php' file. The vulnerability is triggered by manipulating the 'Nome' and 'Sobrenome' parameters, allowing the execution of arbitrary JavaScript in the context of the application. This vulnerability can be exploited remotely and requires user interaction.

Impact

Exploitation of this vulnerability allows for the persistent execution of injected JavaScript code, executed in the context of the application, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, log into the WeGIA application with valid credentials. Navigate to the 'pre_cadastro_atendido.php' page and register a new user by entering a valid CPF. After registration, go to 'Cadastro_Atendido.php' and insert a script payload into the 'Nome' and 'Sobrenome' fields. Once submitted, the payload will be executed when accessing the 'cadastrar ocorrência' section, demonstrating the stored cross-site scripting vulnerability.