FKIE_CVE-2026-42872

Vulnerability from fkie_nvd - Published: 2026-05-11 20:25 - Updated: 2026-05-13 17:03
Severity
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a reflected Cross-Site Scripting (XSS) vulnerability exists in lista_arquivos_etapa.php due to improper handling of user-supplied input. The id_processo parameter is directly embedded into the HTML without sanitization, allowing attackers to inject arbitrary JavaScript. This can lead to session hijacking, credential theft, or execution of malicious actions in the context of the victim's browser. This vulnerability is fixed in 3.7.0.
References
security-advisories@github.comhttps://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gp6v-f6q5-wq62
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gp6v-f6q5-wq62
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a reflected Cross-Site Scripting (XSS) vulnerability exists in lista_arquivos_etapa.php due to improper handling of user-supplied input. The id_processo parameter is directly embedded into the HTML without sanitization, allowing attackers to inject arbitrary JavaScript. This can lead to session hijacking, credential theft, or execution of malicious actions in the context of the victim\u0027s browser. This vulnerability is fixed in 3.7.0."
    }
  ],
  "id": "CVE-2026-42872",
  "lastModified": "2026-05-13T17:03:32.490",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-11T20:25:43.690",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gp6v-f6q5-wq62"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gp6v-f6q5-wq62"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.