| Título | Projeto SIGA SIGA WF 11.0.3.18 Cross Site Scripting |
|---|
| Descrição | A stored cross-site scripting (XSS) vulnerability was identified in SIGA WF version 11.0.3.18. The vulnerability affects the "Cadastro de Responsáveis" module, specifically the parameters "Nome" and "Descrição".
The application does not properly sanitize or encode user-supplied input before rendering it in the HTML response. The injected values are placed into the DOM within an '<a href>' context without proper output encoding, allowing execution of arbitrary JavaScript.
An attacker can inject a malicious payload such as:
<img src=x onerror=alert(document.cookie)//
The payload is stored and executed automatically when the affected data is displayed at `/sigawf/app/responsavel/listar`.
This vulnerability allows persistent execution of arbitrary JavaScript in the context of an authenticated user session, potentially leading to session data exposure and further exploitation. |
|---|
| Fonte | ⚠️ https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel |
|---|
| Utilizador | vini_castro (UID 94745) |
|---|
| Submissão | 03/04/2026 18h52 (há 23 dias) |
|---|
| Moderação | 24/04/2026 21h27 (21 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 359542 [projeto-siga 11.0.3.18 novo Nome/Descrição Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|