| Titre | Projeto SIGA SIGA WF 11.0.3.18 Cross Site Scripting |
|---|
| Description | A stored cross-site scripting (XSS) vulnerability was identified in SIGA WF version 11.0.3.18. The vulnerability affects the "Cadastro de Responsáveis" module, specifically the parameters "Nome" and "Descrição".
The application does not properly sanitize or encode user-supplied input before rendering it in the HTML response. The injected values are placed into the DOM within an '<a href>' context without proper output encoding, allowing execution of arbitrary JavaScript.
An attacker can inject a malicious payload such as:
<img src=x onerror=alert(document.cookie)//
The payload is stored and executed automatically when the affected data is displayed at `/sigawf/app/responsavel/listar`.
This vulnerability allows persistent execution of arbitrary JavaScript in the context of an authenticated user session, potentially leading to session data exposure and further exploitation. |
|---|
| La source | ⚠️ https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel |
|---|
| Utilisateur | vini_castro (UID 94745) |
|---|
| Soumission | 03/04/2026 18:52 (il y a 24 jours) |
|---|
| Modérer | 24/04/2026 21:27 (21 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 359542 [projeto-siga 11.0.3.18 novo Nome/Descrição cross site scripting] |
|---|
| Points | 20 |
|---|