WeGIA Stored Cross-Site Scripting Vulnerability Allowing Session Hijacking and Account Takeover

A stored cross-site scripting vulnerability has been identified in WeGIA, a web management tool for charitable institutions, in versions prior to 3.6.10. This vulnerability allows authenticated users to inject malicious JavaScript into the Intercorrências notification page. The injected script is executed when the page is accessed, potentially leading to session hijacking and account takeover. The issue arises because the application fails to properly sanitize or encode user input in the name field, which is displayed in system notifications. When an 'intercorrência' is registered for a user with an injected payload, the notification triggers the execution of the malicious script in the browser.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, enabling the theft of session cookies and actions performed on behalf of the authenticated user, with a potential for account takeover.

Reproduction

To reproduce this vulnerability, register a patient and inject a script payload into the 'Name' or 'Sobrenome' field. After saving, add an 'Intercorrência' entry for the user. Then, navigate to the 'Intercorrências' notification page and click on 'Recentes' or 'Histórico' to observe the executed payload.

Remediation

Users can update to WeGIA version 3.6.10 or later, where this vulnerability has been patched.