CVE-2026-23722
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in WeGIA web management software that allows unauthenticated attackers to inject malicious JavaScript into users' browsers. Attackers can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. All organizations running WeGIA versions prior to 3.6.2 are affected.
💻 Affected Systems
- WeGIA (Web Manager for Charitable Institutions)
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the WeGIA system, and compromise sensitive charitable institution data including donor information and financial records.
Likely Case
Attackers steal user session cookies to gain unauthorized access to the system, potentially accessing or modifying sensitive charitable data.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers, preventing exploitation.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited and require minimal technical skill to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.2
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf
Restart Required: No
Instructions:
1. Download WeGIA version 3.6.2 or later from the official repository. 2. Backup your current installation and database. 3. Replace the vulnerable file html/memorando/insere_despacho.php with the patched version. 4. Verify the fix by testing the id_memorando parameter.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allDeploy a WAF rule to block malicious XSS payloads in the id_memorando parameter
Input Validation Filter
linuxImplement server-side input validation to sanitize the id_memorando parameter
Add input validation in PHP: $id_memorando = filter_var($_GET['id_memorando'], FILTER_SANITIZE_STRING);
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Disable or restrict access to the vulnerable endpoint html/memorando/insere_despacho.php
🔍 How to Verify
Check if Vulnerable:
Test the id_memorando parameter in html/memorando/insere_despacho.php with a basic XSS payload like <script>alert('XSS')</script> and check if it executes in the browser.Check Version:
Check the WeGIA version in the system configuration or by examining the software files for version indicators.Verify Fix Applied:
After patching, test the same XSS payload to confirm it's properly sanitized and doesn't execute in the browser.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to html/memorando/insere_despacho.php with script tags or JavaScript in parameters
- Multiple failed login attempts following suspicious parameter values
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in the id_memorando parameter
- Unusual redirects from the WeGIA application
SIEM Query:
source="web_logs" AND uri="*insere_despacho.php*" AND (param="*<script>*" OR param="*javascript:*" OR param="*onerror=*" OR param="*onload=*")