WeGIA Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in WeGIA, a web management tool for charitable institutions, in versions prior to 3.6.10. This vulnerability allows authenticated users to inject malicious JavaScript into the 'Nome' field on the 'Informações Pacientes' page. The injected payload is stored and executed when the patient information is accessed. The issue arises because the application fails to properly sanitize or encode user input, enabling the execution of malicious scripts in the browser.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to theft of session data, performing actions on behalf of authenticated users, and potentially escalating privileges if the victim is an administrator.

Reproduction

To reproduce this vulnerability, register a patient and enter a payload containing JavaScript, such as a script tag including JavaScript code, into the 'Nome' field. After saving the patient information, navigate to the 'Informações Pacientes' page for the patient. The injected JavaScript will be executed in the browser.

Remediation

Users can update to WeGIA version 3.6.10 or later, where this vulnerability has been fixed.