WeGIA Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in WeGIA versions prior to 3.6.10. This issue allows authenticated users to inject malicious JavaScript into the 'Destinatário' field. The injected payload is saved and executed when the dispatch page is viewed, affecting other users. The vulnerability arises from improper sanitization of user input, which is later rendered in the browser without adequate encoding, enabling the execution of malicious scripts.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user, potentially leading to session theft, unauthorized actions on behalf of the user, and compromise of privileged accounts if accessed by an administrator.

Reproduction

To reproduce this vulnerability, alter the name of a user to include a payload such as a script tag with JavaScript code, such as an alert. After creating a dispatch that selects this user as the recipient, access the dispatch listing page where the injected script will be executed in the browser.

Remediation

Users can update to WeGIA version 3.6.10 or later, where this vulnerability has been fixed. For developers, the issue can be addressed by changing how user input is handled before it is displayed. Instead of using methods that interpret HTML, such as .html(), which can execute scripts, use .text() to insert content as plain text. If HTML must be allowed, sanitize the content with a library like DOMPurify before using .html() to insert it.