WeGIA Stored Cross-Site Scripting Vulnerability Allowing Session Hijacking and Account Takeover

A stored cross-site scripting vulnerability has been identified in WeGIA versions prior to 3.7.3. This vulnerability allows authenticated users to inject malicious JavaScript into the 'Processo de Aceitação' page. The injected script is executed when the page is accessed, potentially leading to session hijacking and account takeover. The issue arises because the application fails to properly sanitize user input, particularly in the username field, which is displayed in system notifications. When a new process is created, the application renders the process description without adequate escaping, allowing any injected code to execute in the user's browser.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, stealing session cookies, performing actions on behalf of authenticated users, and potentially taking over their accounts.

Reproduction

To reproduce this vulnerability, register a new process and inject a payload containing malicious JavaScript, such as an image tag with an 'onerror' event. The injected script will execute when the 'Processo de Aceitação' page is accessed.

Remediation

Users can update to WeGIA version 3.7.3 or later, where this vulnerability has been fixed.