WeGIA versions before 3.6.10 contain a stored XSS vulnerability (CWE-79) that allows authenticated users to inject malicious scripts into the Intercorrências notification page. When other users visit this page, the injected script executes, potentially enabling session hijacking and account takeover. The vulnerability is addressed in version 3.6.10. There is no vendor advisory explicitly stating patch availability, but the version update indicates a fix.

Exploitation of this vulnerability allows an authenticated user to execute arbitrary JavaScript in the context of other users viewing the Intercorrências notification page. This can lead to session hijacking and account takeover, compromising user accounts and potentially sensitive data within the WeGIA application.

Upgrade WeGIA to version 3.6.10 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is inferred from the version information; check the vendor's official channels for confirmation and further guidance.