Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the vulnerable endpoint listar_memorandos_ativos.php for reflected Cross-Site Scripting (XSS) via the sccd GET parameter when the msg parameter equals 'success'."}, {'type': 'paragraph', 'content': 'A practical detection method is to send a crafted HTTP request to the endpoint with the parameters msg=success and sccd containing a harmless script payload, then observe if the script is reflected unsanitized in the HTML response.'}, {'type': 'paragraph', 'content': 'For example, you can use curl to test the vulnerability with the following command:'}, {'type': 'list_item', 'content': 'curl -i "https://your-wegia-domain/WeGIA/html/memorando/listar_memorandos_ativos.php?msg=success&sccd=<svg/onload=alert(document.cookie)>"'}, {'type': 'paragraph', 'content': 'If the response contains the injected script tag without encoding or sanitization, the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the WeGIA application to version 3.6.7 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, consider implementing input sanitization or encoding on the sccd parameter to prevent script injection.

Additionally, educate users to avoid clicking on suspicious or untrusted links that may exploit this vulnerability.

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33136 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in the WeGIA web application, specifically in the listar_memorandos_ativos.php script. The vulnerability occurs because the application takes the value of the sccd GET parameter and directly inserts it into an HTML alert div without any sanitization or encoding.'}, {'type': 'paragraph', 'content': 'When the msg GET parameter equals "success", the script concatenates and reflects the sccd parameter into the HTML response. Since no character encoding functions like htmlspecialchars() or htmlentities() are used, an attacker can inject arbitrary JavaScript or HTML code.'}, {'type': 'paragraph', 'content': "This allows an attacker to craft a URL that, when visited by an authenticated user, executes malicious scripts in the user's browser context."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "If an attacker convinces an authenticated user, such as an administrator or staff member, to click on a specially crafted link exploiting this vulnerability, the injected malicious script will execute within the user's session."}, {'type': 'list_item', 'content': 'Session hijacking by stealing session cookies (e.g., PHPSESSID).'}, {'type': 'list_item', 'content': 'Unauthorized administrative actions performed on behalf of the user.'}, {'type': 'list_item', 'content': 'Redirection of the user to phishing or malicious websites.'}, {'type': 'paragraph', 'content': 'Because the attack vector is network-based and requires low complexity with no privileges needed, the risk is high, and the vulnerability has a CVSS v3.1 base score of 9.3.'}] [1]

Useful 0 Not Useful 0