A critical vulnerability has been discovered in the WeGIA Web Manager software that could allow an attacker to take control of a user's account. By tricking a user into clicking a specially crafted link, an attacker can inject malicious code that runs in the user's browser, potentially leading to data theft, credential compromise, and unauthorized actions performed on behalf of the user. This issue affects versions prior to 3.6.2 and should be patched immediately.

The vulnerability is a Reflected Cross-Site Scripting (XSS) flaw in the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode the value of the id_memorando GET parameter before it is displayed back to the user on the web page. An unauthenticated attacker can craft a malicious URL containing JavaScript code within this parameter and send it to a victim (e.g., via a phishing email). When the victim clicks the link, the malicious script executes within the security context of their browser session, allowing the attacker to bypass client-side security mechanisms.

This vulnerability is rated as critical severity with a CVSS score of 9.1, posing a significant risk to the organization. Successful exploitation could lead to session hijacking, allowing an attacker to impersonate legitimate users and gain unauthorized access to sensitive data and application functionality. Further consequences include the theft of user credentials, website defacement, redirection of users to malicious websites for malware delivery, and reputational damage to the charitable institution. A compromise resulting from this vulnerability could lead to a data breach, impacting donor trust and potentially violating data protection regulations.

Immediate Action: Immediately upgrade all instances of WeGIA is a Web Manager for Charitable Multiple Products to version 3.6.2 or a later version, which contains the fix for this vulnerability. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing web server access logs and application logs.

Proactive Monitoring: Security teams should actively monitor web server logs for GET requests to the insere_despacho.php file. Specifically, look for requests where the id_memorando parameter contains suspicious strings such as <script>, alert(), onerror=, or other HTML/JavaScript code fragments. Anomalous outbound traffic from client browsers interacting with the application could also indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block common XSS attack patterns in URL parameters. Additionally, enforcing a strict Content Security Policy (CSP) can help mitigate the risk by preventing the browser from executing unauthorized inline scripts.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) and the unauthenticated nature of this vulnerability, immediate remediation is strongly recommended. Organizations must prioritize applying the update to version 3.6.2 or later across all affected systems to prevent potential compromise. While this CVE is not currently listed on the CISA KEV catalog, its high impact warrants urgent attention. Implementing compensating controls such as a WAF should be considered a critical secondary defense, but not a substitute for patching.