LabRedesCefetRJ WeGIA Cross-Site Scripting Vulnerability in Version 3.4.0

A stored cross-site scripting vulnerability has been identified in LabRedesCefetRJ WeGIA version 3.4.0. The issue resides in the 'Adicionar tipo' component, specifically within the file '/html/matPat/adicionar_tipoEntrada.php'. The vulnerability allows for the injection of malicious JavaScript into the 'Insira o novo tipo' input field, which is then executed when the product registration interface is accessed. This flaw could lead to session hijacking or other client-side attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log into the WeGIA platform and navigate to 'Material e Patrimonio > Entrada > Registrar Entrada'. Once on the 'Cadastro de Produto' page, click the '+' button under the 'Tipo' tab to access the 'Adicionar Tipo de Entrada' page. Here, enter a new type using a script payload in the 'Insira o novo tipo' field and submit the form. The injected script will be executed each time the 'Cadastro de Entrada' page is loaded, demonstrating the stored cross-site scripting vulnerability.