Cross-site scripting in WeGIA - #VU130448
Published: May 7, 2026
Vulnerability identifier: #VU130448
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.
The vulnerability exists due to cross-site scripting in html/atendido/etapa_processo.php when rendering etapa descriptions. A remote privileged user can inject malicious HTML or JavaScript into the description field to execute arbitrary JavaScript in victims' browsers.
The injected script is stored and executed when users access the "Etapas de um Processo" page, which can lead to session hijacking and account takeover.
Remediation
Install security update from vendor's website.