WeGIA Stored Cross-Site Scripting Vulnerability in Adopters Information Page

A stored cross-site scripting vulnerability has been identified in the WeGIA application, prior to version 3.6.2. The issue resides in the 'html/pet/adotantes/cadastro_adotante.php' and 'html/pet/adotantes/informacao_adotantes.php' endpoints. The vulnerability allows for persistent JavaScript injection, as user input is not properly sanitized before being displayed in the Adopters Information table. This results in the automatic execution of injected scripts for any user who views the page.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser. This could lead to session hijacking, unauthorized account access, or actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, log in as a user with permission to manage adopters. In the 'Nome' field of the adopter form, insert a script payload, such as a JavaScript alert. After saving the form, navigate to the Adopters Information page. The injected script will execute automatically when the page is loaded.

Remediation

Users can update to WeGIA version 3.6.2 or later, where this vulnerability has been fixed.