WeGIA Reflected Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in WeGIA versions prior to 3.7.0. The issue resides in the file lista_arquivos_etapa.php, where the id_processo parameter is embedded into the HTML without proper sanitization. This flaw allows attackers to inject arbitrary JavaScript, potentially leading to session hijacking, credential theft, or execution of malicious actions in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for reflected Cross-Site Scripting, where injected JavaScript is executed in the context of the user's session. This could result in session hijacking, phishing attacks, defacement, or unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, send a GET request to lista_arquivos_etapa.php with a crafted id_processo parameter that includes JavaScript, such as a script tag. The injected script will execute in the browser, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to WeGIA version 3.7.0 or later to address this vulnerability.