Description
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/listar_memorandos_ativos.php handles dynamic success messages to users using query string parameters. Similar to other endpoints in the Memorando module, it checks if $_GET['msg'] equals 'success'. If this condition is met, it directly concatenates and reflects $_GET['sccd'] into an HTML alert <div>. This issue is resolved in version 3.6.7.
Published: 2026-03-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows injection of arbitrary JavaScript or HTML into the sccd GET parameter of the listar_memorandos_ativos.php page. This parameter is reflected directly into an HTML alert element without any input sanitization or encoding, enabling a reflected Cross‑Site Scripting attack. A malicious payload executed in the victim’s browser can steal session cookies, deface the interface, or redirect users to phishing sites.

Affected Systems

The web manager for charitable institutions, WeGIA, developed by LabRedesCefetRJ, is affected. Versions 3.6.6 and earlier contain the flaw; the issue was resolved in version 3.6.7.

Risk and Exploitability

The CVSS base score of 9.3 indicates critical severity. Exploitation requires only a crafted URL and does not need authentication or elevated privileges. The EPSS score below 1% suggests a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Threats arise when a victim opens a page containing the malicious sccd value, causing the browser to execute the injected script.

Generated by OpenCVE AI on March 20, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WeGIA 3.6.7 or later to eliminate the XSS flaw.
  • If upgrading cannot occur immediately, block or restrict access to listar_memorandos_ativos.php until the patch is applied.
  • Implement input validation or output encoding for the sccd parameter as a temporary workaround.
  • Educate users to avoid clicking suspicious URLs and consider using browser security extensions that block XSS attacks.
  • Monitor web server logs for unusual use of the sccd parameter and for client‑side script errors to detect exploitation attempts.

Generated by OpenCVE AI on March 20, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Wegia
Wegia wegia
CPEs cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
Vendors & Products Wegia
Wegia wegia

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/listar_memorandos_ativos.php handles dynamic success messages to users using query string parameters. Similar to other endpoints in the Memorando module, it checks if $_GET['msg'] equals 'success'. If this condition is met, it directly concatenates and reflects $_GET['sccd'] into an HTML alert <div>. This issue is resolved in version 3.6.7.
Title WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `sccd` parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Labredescefetrj Wegia
Wegia Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:33:03.599Z

Reserved: 2026-03-17T20:35:49.928Z

Link: CVE-2026-33136

cve-icon Vulnrichment

Updated: 2026-03-20T15:32:58.385Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T11:18:03.527

Modified: 2026-03-20T19:23:40.980

Link: CVE-2026-33136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:29Z

Weaknesses