CVE-2026-23724
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in WeGIA web manager allows attackers to inject malicious scripts into the 'Atendido' selection dropdown. This affects all users of WeGIA versions prior to 3.6.2, potentially compromising user sessions and stealing sensitive data.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, potentially compromising the entire charitable institution's data.
Likely Case
Attackers inject malicious scripts that steal session cookies or credentials from users who interact with the vulnerable dropdown, leading to account compromise.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized, preventing any exploitation.
🎯 Exploit Status
Exploitation requires the attacker to have access to inject malicious payloads into the vulnerable field, which typically requires some level of authenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.2
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq
Restart Required: Yes
Instructions:
1. Download WeGIA version 3.6.2 from the official repository. 2. Backup your current installation and database. 3. Replace the existing files with the new version. 4. Restart the web server service.
🔧 Temporary Workarounds
Input Sanitization Filter
allImplement server-side input validation and output encoding for the 'Atendido' dropdown field to neutralize malicious scripts.
Modify html/atendido/cadastro_ocorrencia.php to sanitize user input using htmlspecialchars() or similar functions
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict access to the vulnerable endpoint using network segmentation or authentication controls.
🔍 How to Verify
Check if Vulnerable:
Check if the application version is below 3.6.2 and test the html/atendido/cadastro_ocorrencia.php endpoint with XSS payloads in the 'Atendido' dropdown.Check Version:
Check the WeGIA version in the application interface or review the source code for version markers.Verify Fix Applied:
After upgrading to 3.6.2, test the same endpoint with XSS payloads to confirm they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to cadastro_ocorrencia.php with script tags or JavaScript payloads
- Multiple failed login attempts following suspicious requests
Network Indicators:
- HTTP requests containing malicious script patterns in the 'Atendido' parameter
SIEM Query:
source="web_server_logs" AND uri="/html/atendido/cadastro_ocorrencia.php" AND (payload CONTAINS "<script>" OR payload CONTAINS "javascript:")