LabRedesCefetRJ WeGIA Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in LabRedesCefetRJ WeGIA version 3.4.0. The issue resides in the employee registration component, specifically within the 'Nome' and 'Sobrenome' input fields on the 'Cadastro de Funcionário' page. This vulnerability allows authenticated attackers to inject malicious JavaScript, which is then executed when the employee data is accessed elsewhere in the application. The lack of proper input validation and sanitization before data is stored in the database enables this exploitation, posing significant risks such as session hijacking and unauthorized data access.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user's browser, potentially leading to session hijacking, unauthorized redirects, data theft, and other client-side attacks.

Reproduction

To reproduce this vulnerability, log into the application with valid credentials and navigate to the 'Cadastrar Funcionario' page. After inserting a valid CPF, access the 'cadastro_funcionario.php' page and inject a script payload into the 'Nome' and 'Sobrenome' fields. Once the data is submitted, the injected script will execute when the employee information is accessed through the 'Memorando' section, confirming the presence of stored cross-site scripting.