WeGIA versions before 3.7.3 contain a stored XSS vulnerability (CWE-79) on the 'Etapas de um Processo' page (html/atendido/etapa_processo.php). An authenticated user can inject malicious JavaScript that executes when other users access this page, leading to session hijacking and account takeover. The vulnerability has a CVSS 3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, scope changed, high confidentiality impact, no integrity or availability impact. The issue is fixed in WeGIA version 3.7.3. No vendor advisory or patch link is provided, so patch status is not explicitly confirmed here.

Successful exploitation allows an authenticated user to inject malicious JavaScript into a specific page, which executes in the context of other users viewing that page. This can lead to session hijacking and account takeover, compromising user accounts and potentially sensitive data. The confidentiality impact is high, but integrity and availability impacts are not affected. No known exploits in the wild have been reported.

The vulnerability is fixed in WeGIA version 3.7.3. Users should upgrade to version 3.7.3 or later to remediate this issue. Patch status is not explicitly confirmed by a vendor advisory in the provided data, so users should verify with the vendor for official patch availability and guidance. Until patched, restrict authenticated user privileges to limit potential exploitation.