{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23724", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-15T15:45:01.955Z", "datePublished": "2026-01-16T19:37:06.349Z", "dateUpdated": "2026-01-16T21:33:07.130Z"}, "containers": {"cna": {"title": "WeGIA Stored Cross-Site Scripting (XSS) \u2013 atendido_idatendido Parameter on Occurrence Registration Page", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq"}, {"name": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1333", "tags": ["x_refsource_MISC"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1333"}, {"name": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T19:37:06.349Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the \u201cAtendido\u201d selection dropdown. This vulnerability is fixed in 3.6.2."}], "source": {"advisory": "GHSA-3r3q-8573-g3cq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T21:32:55.745192Z", "id": "CVE-2026-23724", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:33:07.130Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23724", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T21:32:55.745192Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:33:03.011Z"}}], "cna": {"title": "WeGIA Stored Cross-Site Scripting (XSS) \u2013 atendido_idatendido Parameter on Occurrence Registration Page", "source": {"advisory": "GHSA-3r3q-8573-g3cq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"status": "affected", "version": "< 3.6.2"}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq", "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1333", "name": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1333", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2", "name": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the \u201cAtendido\u201d selection dropdown. This vulnerability is fixed in 3.6.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T19:37:06.349Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23724", "state": "PUBLISHED", "dateUpdated": "2026-01-16T21:33:07.130Z", "dateReserved": "2026-01-15T15:45:01.955Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-16T19:37:06.349Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "matchCriteriaId": "419B3A85-5754-4198-A73E-92A9DA8E7A68", "versionEndExcluding": "3.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the \u201cAtendido\u201d selection dropdown. This vulnerability is fixed in 3.6.2."}], "id": "CVE-2026-23724", "lastModified": "2026-01-30T18:29:45.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-16T20:15:50.310", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1333"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:01:56.054973+00:00", "value": {"mitigation_remediation": ["Upgrade WeGIA to version 3.6.2 or later to apply the vendor\u2011provided fix for the stored XSS issue.", "Apply input validation and output encoding for the atendido_idatendido field in the dropdown, ensuring all rendered data undergoes HTML encoding to prevent future XSS vulnerabilities.", "Configure a web application firewall or implement server\u2011side checks to detect and block malicious script injections in the atendido_idatendido parameter before storage."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of WeGIA prior to 3.6.2. WeGIA is a web manager for charitable institutions that supports web\u2011based operations such as attendance tracking and case handling. Users running the older versions and employing the occurrence registration feature are at risk.", "description_and_impact": "The WeGIA application permits a stored XSS attack through the atendido_idatendido parameter in the occurrence registration page. Data supplied via this parameter is rendered directly within the Atendido selection dropdown without any sanitization. If a malicious user injects script code, that code will be persisted and later executed in the browsers of any user who views the dropdown, potentially allowing theft of session cookies, defacement, or redirection to phishing sites. The weakness is a classic input\u2011validation failure, identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact with limited impact on confidentiality or integrity, and the EPSS score of less than 1\u202f% suggests a very low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need to inject malicious content into the attendee field, which may be facilitated by any authenticated access that allows data submission. No additional privilege escalation or remote code execution is required, but the consequence is the ability to inject arbitrary client\u2011side scripts for the victim users."}}}}, "created": "2026-01-19T09:20:24.580260+00:00", "updated": "2026-04-18T16:15:04.592951+00:00", "vendors": ["wegia", "wegia$PRODUCT$wegia"]}