| タイトル | WeGIA WeGIA Web Gerenciador 3.4.0 Stored Cross Site Scripting |
|---|
| 説明 | A persistent Cross-Site Scripting (XSS) vulnerability has been identified in the WeGIA system, specifically in the entry type registration flow within the module: Material > Patrimony > Entry > Type. The flaw allows an attacker to inject malicious JavaScript code into the entry type name field, which is then stored in the database and executed whenever the product registration interface is accessed. The script runs in the browser context of any user interacting with the page, enabling potential session hijacking, unauthorized redirects, or other client-side attacks. The lack of proper input validation or sanitization represents a critical security flaw that compromises both the integrity of the application and the safety of its users.
1 - Log in to the platform
2 - Go to the section "Material e Patrimonio > Entrada > Registrar Entrada"
3 - On the page /html/matPat/cadastro_produto.php, click the "+" button under the "Tipo" tab.
4 - On the page /html/matPat/adicionar_tipoEntrada.php, register a new unit using the following XSS payload:
<script>alert('Poc VulDB')</script>
Then, click the first "Enviar" button to submit the form.
5 - The payload will be stored in the system and will be executed every time the page /html/matPat/cadastro_entrada.php is loaded, confirming the presence of a Stored Cross-Site Scripting (XSS) vulnerability.
|
|---|
| ソース | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README5.md |
|---|
| ユーザー | RaulPACXXX (UID 84502) |
|---|
| 送信 | 2025年06月16日 01:15 (1 年 ago) |
|---|
| モデレーション | 2025年06月26日 10:11 (10 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 313963 [LabRedesCefetRJ WeGIA 3.4.0 Adicionar tipo adicionar_tipoEntrada.php Insira o novo tipo クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|