提交 #597078: WeGIA WeGIA Web Gerenciador 3.4.0 Stored Cross Site Scripting信息

标题	WeGIA WeGIA Web Gerenciador 3.4.0 Stored Cross Site Scripting
描述	???? PoC for Exploitation: Stored XSS in WeGIA 3.4.0 Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Application: WeGIA 3.4.0 Vulnerable Endpoint: /html/atendido/Cadastro_Atendido.php?cpf={CPF} Vulnerable Parameters: Nome and Sobrenome Impact: Persistent execution of arbitrary JavaScript code in the context of the application ???? Step-by-step PoC for Stored XSS in WeGIA 1 - Log in to the platform. Access the application with valid credentials. 2 - Go to the page /html/atendido/pre_cadastro_atendido.php and register a new user. Insert a valid CPF (you can use an online Brazilian CPF generator) and proceed to pre-register the user. 3 - Go to the page /html/atendido/Cadastro_Atendido.php?cpf={CPF} and insert the following payload in the "Nome" and "Sobrenome" fields, then click "Enviar": <script>alert('Poc VulDBeeee')</script> 4 - The HTTP request, if intercepted using a proxy such as Burp Suite, will look like this: #GET /WeGIA/controle/control.php?nome=%3Cscript%3Ealert%28%27PoC+VulDB%27%29%3C%2Fscript%3E&sobrenome=%3Cscript%3Ealert%28%27PoC+VulDB%27%29%3C%2Fscript%3E&sexo=m&telefone=%2899%2927199-81&nascimento=2000-10-10&intStatus=3&intTipo=1&nomeClasse=AtendidoControle&cpf=XXX&metodo=incluir HTTP/1.1 #Host: sec.wegia.org:8000 #Cookie: PHPSESSID=... #User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) #Referer: https://sec.wegia.org:8000/WeGIA/html/atendido/Cadastro_Atendido.php?cpf=CPF 5 - Go to “Pessoas” > “Atendidos” > “Cadastrar ocorrência”. This section loads the stored data of the registered person. 6 - The JavaScript payload will be executed every time the page /html/atendido/cadastro_ocorrencia.php is accessed, confirming that the application is vulnerable to Stored XSS.
来源	⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README3.md
用户	RaulPACXXX (UID 84502)
提交	2025-06-14 18時05分 (1 年前)
管理	2025-06-26 10時11分 (12 days later)
状态	已接受
VulDB条目	313962 [LabRedesCefetRJ WeGIA 3.4.0 Cadastro de Atendio Cadastro_Atendido.php Nome/Sobrenome 跨网站脚本]
积分	20

◂ 上一步一览下一步 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!