| Название | Projeto SIGA SIGA WF 11.0.3.18 Cross Site Scripting |
|---|
| Описание | A stored cross-site scripting (XSS) vulnerability was identified in SIGA WF version 11.0.3.18. The vulnerability affects the "Cadastro de Responsáveis" module, specifically the parameters "Nome" and "Descrição".
The application does not properly sanitize or encode user-supplied input before rendering it in the HTML response. The injected values are placed into the DOM within an '<a href>' context without proper output encoding, allowing execution of arbitrary JavaScript.
An attacker can inject a malicious payload such as:
<img src=x onerror=alert(document.cookie)//
The payload is stored and executed automatically when the affected data is displayed at `/sigawf/app/responsavel/listar`.
This vulnerability allows persistent execution of arbitrary JavaScript in the context of an authenticated user session, potentially leading to session data exposure and further exploitation. |
|---|
| Источник | ⚠️ https://github.com/ViniCastro2001/Security_Reports/tree/main/siga/Stored-XSS-Responsavel |
|---|
| Пользователь | vini_castro (UID 94745) |
|---|
| Представление | 03.04.2026 18:52 (25 дни назад) |
|---|
| Модерация | 24.04.2026 21:27 (21 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 359542 [projeto-siga 11.0.3.18 novo Nome/Descrição межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|