| タイトル | Projeto SIGA SIGA WF 11.0.3.18 Cross Site Scripting |
|---|
| 説明 | A stored cross-site scripting (XSS) vulnerability was identified in SIGA WF version 11.0.3.18. The vulnerability affects the "Cadastro de Responsáveis" module, specifically the parameters "Nome" and "Descrição".
The application does not properly sanitize or encode user-supplied input before rendering it in the HTML response. The injected values are placed into the DOM within an '<a href>' context without proper output encoding, allowing execution of arbitrary JavaScript.
An attacker can inject a malicious payload such as:
<img src=x onerror=alert(document.cookie)//
The payload is stored and executed automatically when the affected data is displayed at `/sigawf/app/responsavel/listar`.
This vulnerability allows persistent execution of arbitrary JavaScript in the context of an authenticated user session, potentially leading to session data exposure and further exploitation. |
|---|
| ソース | ⚠️ https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel |
|---|
| ユーザー | vini_castro (UID 94745) |
|---|
| 送信 | 2026年04月03日 18:52 (23 日 ago) |
|---|
| モデレーション | 2026年04月24日 21:27 (21 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 359542 [projeto-siga 11.0.3.18 novo Nome/Descrição クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|