Cross-site scripting in WeGIA - #VU127340
Published: April 23, 2026
Vulnerability identifier: #VU127340
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.
The vulnerability exists due to cross-site scripting in html/memorando/listar_memorandos_ativos.php when handling a crafted GET request with the sccd parameter while msg=success. A remote attacker can send a specially crafted URL to execute arbitrary script code in the victim's browser.
User interaction is required, and the victim must open the crafted URL.
Remediation
Install security update from vendor's website.