Description
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7.
Published: 2026-03-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS
Action: Apply Patch
AI Analysis

Impact

Researchers identified a Reflected Cross‑Site Scripting (XSS) flaw in WeGIA’s novo_memorandoo.php module. The flaw allows an attacker to embed arbitrary JavaScript code through the sccs GET parameter without any form of filtering or encoding. When a user accepts a crafted link, the malicious script runs in the victim’s browser, potentially leading to defacement, credential theft, or session hijacking. The weakness originates from the direct concatenation of user input into an HTML alert element, corresponding to the Common Weakness Enumeration CWE‑79.

Affected Systems

Commercially, this issue touches the LabRedesCefetRJ WeGIA web manager, specifically versions 3.6.6 and earlier. The affected component is the novo_memorandoo.php endpoint, which outputs success messages by echoing the sccs parameter into an HTML alert. All deployments of WeGIA running these versions are at risk until the patch is applied. The vulnerability is officially documented in the product’s cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:* representation.

Risk and Exploitability

The CVSS rating of 9.3 classifies the flaw as Critical, and the EPSS score of less than 1 % indicates that exploitation is not yet widespread, though the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by simply having a user browse a crafted URL containing malicious sccs content; no authentication is required. If successful, the payload executes with the victim’s browser privileges, allowing attackers to steal session cookies or deface the interface.

Generated by OpenCVE AI on March 20, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WeGIA to version 3.6.7 or later, which includes the patch for the reflected XSS flaw.
  • If an upgrade is not immediately possible, validate or encode the sccs parameter before rendering it in the alert to prevent script execution.
  • Monitor web logs for URLs containing the sccs parameter and investigate any anomalous activity.
  • Consider restricting access to the nuevo_memorandoo.php endpoint until a patch is applied.

Generated by OpenCVE AI on March 20, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET['msg'] equals 'success'. If true, it directly concatenates $_GET['sccs'] into an HTML alert <div> and outputs it to the browser. This issue has been fixed in version 3.6.7.
Title WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T13:44:02.877Z

Reserved: 2026-03-17T20:35:49.928Z

Link: CVE-2026-33135

cve-icon Vulnrichment

Updated: 2026-03-20T13:43:52.010Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T11:18:03.360

Modified: 2026-03-20T19:25:45.043

Link: CVE-2026-33135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:30Z

Weaknesses