Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a reflected Cross-Site Scripting (XSS) vulnerability exists in lista_arquivos_etapa.php due to improper handling of user-supplied input. The id_processo parameter is directly embedded into the HTML without sanitization, allowing attackers to inject arbitrary JavaScript. This can lead to session hijacking, credential theft, or execution of malicious actions in the context of the victim's browser. This vulnerability is fixed in 3.7.0.
Published: 2026-05-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected Cross‑Site Scripting (XSS) vulnerability exists in the WeGIA web manager, specifically in the file lista_arquivos_etapa.php. Because the id_processo parameter is inserted into the HTML without any sanitization, an attacker can inject malicious JavaScript. If a victim clicks a crafted link or visits a maliciously crafted page, the attacker can execute arbitrary script in the victim’s browser, potentially hijacking the session, stealing credentials, or performing malicious actions on the victim’s behalf.

Affected Systems

The flaw affects the WeGIA product from LabRedesCefetRJ. All releases older than version 3.7.0 are vulnerable; the issue is fixed in 3.7.0 and later.

Risk and Exploitability

With a CVSS score of 6.1, the vulnerability is considered moderate severity. The EPSS score is not available, and it is not listed in CISA’s KEV catalog, suggesting that mass exploitation is not yet widespread. The likely attack vector involves remotely reachable web pages; an attacker can embed a malicious link that references the vulnerable id_processo parameter, triggering the XSS when an authenticated user views the page. Successful exploitation would give the attacker the same privileges as the victim’s browser session.

Generated by OpenCVE AI on May 11, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeGIA to version 3.7.0 or later to eliminate the vulnerability.
  • Apply input validation or output encoding to the id_processo parameter so that any user‑provided data cannot be interpreted as script.
  • Restrict access to lista_arquivos_etapa.php so that only authenticated users with appropriate permissions can reach the page, and consider using a web application firewall to filter suspicious input.

Generated by OpenCVE AI on May 11, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a reflected Cross-Site Scripting (XSS) vulnerability exists in lista_arquivos_etapa.php due to improper handling of user-supplied input. The id_processo parameter is directly embedded into the HTML without sanitization, allowing attackers to inject arbitrary JavaScript. This can lead to session hijacking, credential theft, or execution of malicious actions in the context of the victim's browser. This vulnerability is fixed in 3.7.0.
Title WeGIA: Reflected XSS in listar_arquivos_etapa.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:43:33.708Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42872

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T20:25:43.690

Modified: 2026-05-13T17:03:32.490

Link: CVE-2026-42872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:30:16Z

Weaknesses