Volerion logoVolerion
Volerion logoVolerion

WeGIA Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in the WeGIA application, specifically in versions prior to 3.6.2. The issue resides in the 'html/atendido/cadastro_ocorrencia.php' endpoint, where user-controlled data is not properly sanitized before being displayed in the 'Atendido' selection dropdown. This flaw allows for the injection of arbitrary JavaScript, which is executed when the dropdown is accessed.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser. This could lead to session hijacking, account takeover, or unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, log in as a user with the ability to create or edit 'Atendidos'. In the 'Name' field, enter a script payload, such as a JavaScript alert script. After saving the 'Atendido', navigate to the 'cadastro_ocorrencia.php' page. The injected script will execute immediately within the 'Atendido' dropdown.

Remediation

Users can update to WeGIA version 3.6.2, where this vulnerability has been patched.

Added: Jan 16, 2026, 8:26 PM
Updated: Jan 16, 2026, 8:26 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.7
exploitability
4.4
remediation
7.7
relevance
2.1
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.