Cross-site scripting in WeGIA - #VU130449
Published: May 7, 2026
Vulnerability identifier: #VU130449
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LabReDeS
Affected software:
WeGIA
WeGIA
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.
The vulnerability exists due to cross-site scripting in html/atendido/processo_aceitacao.php when rendering user-controlled process description content. A remote privileged user can submit specially crafted input to execute arbitrary JavaScript in victims' browsers.
The injected script is stored and executed when users access the acceptance process page, which may enable session hijacking or account takeover.
Remediation
Install security update from vendor's website.