A stored cross-site scripting flaw was found in the WeGIA web manager for charitable institutions. In versions older than 3.7.0, an attacker can inject JavaScript into the Description field of a user profile and have it persistently executed whenever the profile page is viewed. This enables script execution within the victim’s browser, potentially allowing cookie theft, session hijack, defacement, or other malicious actions. The weakness is specified as CWE-79, inputting unsanitized content in a context that is later rendered as HTML. The attacker must have write access to a profile to insert the malicious payload, so the attack requires authenticated user privileges.

The vulnerability affects the LabRedesCefetRJ WeGIA application. Versions prior to 3.7.0 are impacted. Users running WeGIA before the 3.7.0 release should verify their installed version and upgrade.

The CVSS score is 6.4, indicating a moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited. Because the flaw requires a user with the ability to edit profile information, exploitation is limited to authenticated contexts or compromised accounts. Nonetheless, the stored nature of the payload means that any subsequent viewer of the profile could be affected, raising the potential for widespread abuse if a high‑privilege attacker can alter an official page.