LabRedesCefetRJ WeGIA Cross-Site Scripting Vulnerability in Version 3.4.0

A stored cross-site scripting vulnerability has been identified in LabRedesCefetRJ WeGIA version 3.4.0. The issue resides in the 'Adicionar tipo' component, specifically within the file '/html/matPat/adicionar_tipoSaida.php'. The vulnerability allows for the injection of malicious JavaScript into the 'Insira o novo tipo' input field, which is then executed in the context of the user viewing the product registration page. This could lead to session hijacking or other client-side attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the affected page.

Reproduction

To reproduce this vulnerability, log into the WeGIA platform and navigate to 'Material e Patrimonio > Entrada > Registrar Saida'. Once on the 'Tipo' tab, add a new unit by injecting a script payload into the output type name field. After submitting the form, the injected script will execute each time the product registration page is accessed, demonstrating the stored cross-site scripting vulnerability.