WeGIA Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in WeGIA, a web management system for charitable institutions, in versions prior to 3.6.2. The issue resides in the 'html/memorando/insere_despacho.php' file, where user input via the 'id_memorando' GET parameter is not properly sanitized before being reflected in the HTML. This flaw allows unauthenticated attackers to inject arbitrary JavaScript or HTML, which is executed in the context of the user's browser session.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, potentially leading to session cookie theft, authentication bypass, or unauthorized actions on behalf of the user. Additionally, it can cause UI redressing or defacement, as demonstrated in the proof of concept, where the attacker overlaid the application with external content, such as iframes, leading to phishing opportunities or a denial-of-service for that user session.

Reproduction

To reproduce this vulnerability, send a GET request to 'html/memorando/insere_despacho.php' with the 'id_memorando' parameter containing a crafted payload that includes a closing script tag followed by an iframe element. The injected iframe should be styled to cover the entire viewport, effectively overlaying the WeGIA interface.

Remediation

Users are advised to update to WeGIA version 3.6.2 or later. Developers should ensure that input received via the 'id_memorando' GET parameter is properly sanitized before being output to the browser. When outputting to an HTML context, use 'htmlspecialchars' to encode the input. If the output is in a JavaScript context, 'json_encode' should be used to safely encode the data.