| 제목 | Projeto SIGA SIGA WF 11.0.3.18 Cross Site Scripting |
|---|
| 설명 | A stored cross-site scripting (XSS) vulnerability was identified in SIGA WF version 11.0.3.18. The vulnerability affects the "Cadastro de Responsáveis" module, specifically the parameters "Nome" and "Descrição".
The application does not properly sanitize or encode user-supplied input before rendering it in the HTML response. The injected values are placed into the DOM within an '<a href>' context without proper output encoding, allowing execution of arbitrary JavaScript.
An attacker can inject a malicious payload such as:
<img src=x onerror=alert(document.cookie)//
The payload is stored and executed automatically when the affected data is displayed at `/sigawf/app/responsavel/listar`.
This vulnerability allows persistent execution of arbitrary JavaScript in the context of an authenticated user session, potentially leading to session data exposure and further exploitation. |
|---|
| 원천 | ⚠️ https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel |
|---|
| 사용자 | vini_castro (UID 94745) |
|---|
| 제출 | 2026. 04. 03. PM 06:52 (24 날 ago) |
|---|
| 모더레이션 | 2026. 04. 24. PM 09:27 (21 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 359542 [projeto-siga 11.0.3.18 novo Nome/Descrição 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|