Submit #597078: WeGIA WeGIA Web Gerenciador 3.4.0 Stored Cross Site Scriptinginfo

TitleWeGIA WeGIA Web Gerenciador 3.4.0 Stored Cross Site Scripting
Description???? PoC for Exploitation: Stored XSS in WeGIA 3.4.0 Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Application: WeGIA 3.4.0 Vulnerable Endpoint: /html/atendido/Cadastro_Atendido.php?cpf={CPF} Vulnerable Parameters: Nome and Sobrenome Impact: Persistent execution of arbitrary JavaScript code in the context of the application ???? Step-by-step PoC for Stored XSS in WeGIA 1 - Log in to the platform. Access the application with valid credentials. 2 - Go to the page /html/atendido/pre_cadastro_atendido.php and register a new user. Insert a valid CPF (you can use an online Brazilian CPF generator) and proceed to pre-register the user. 3 - Go to the page /html/atendido/Cadastro_Atendido.php?cpf={CPF} and insert the following payload in the "Nome" and "Sobrenome" fields, then click "Enviar": <script>alert('Poc VulDBeeee')</script> 4 - The HTTP request, if intercepted using a proxy such as Burp Suite, will look like this: #GET /WeGIA/controle/control.php?nome=%3Cscript%3Ealert%28%27PoC+VulDB%27%29%3C%2Fscript%3E&sobrenome=%3Cscript%3Ealert%28%27PoC+VulDB%27%29%3C%2Fscript%3E&sexo=m&telefone=%2899%2927199-81&nascimento=2000-10-10&intStatus=3&intTipo=1&nomeClasse=AtendidoControle&cpf=XXX&metodo=incluir HTTP/1.1 #Host: sec.wegia.org:8000 #Cookie: PHPSESSID=... #User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) #Referer: https://sec.wegia.org:8000/WeGIA/html/atendido/Cadastro_Atendido.php?cpf=CPF 5 - Go to “Pessoas” > “Atendidos” > “Cadastrar ocorrência”. This section loads the stored data of the registered person. 6 - The JavaScript payload will be executed every time the page /html/atendido/cadastro_ocorrencia.php is accessed, confirming that the application is vulnerable to Stored XSS.
Source⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README3.md
User
 RaulPACXXX (UID 84502)
Submission06/14/2025 18:05 (1 Year ago)
Moderation06/26/2025 10:11 (12 days later)
StatusAccepted
VulDB entry313962 [LabRedesCefetRJ WeGIA 3.4.0 Cadastro de Atendio Cadastro_Atendido.php Nome/Sobrenome cross site scripting]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!