WeGIA versions before 3.7.3 contain a stored XSS vulnerability (CWE-79) in the Processo de Aceitação page (html/atendido/processo_aceitacao.php). Authenticated users can inject malicious JavaScript that executes upon page access, risking session hijacking and account takeover. The vulnerability has a CVSS 3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and impact on confidentiality with scope changed. The issue is resolved in version 3.7.3.

An authenticated attacker can inject persistent malicious scripts that execute in the context of other users accessing the affected page. This can lead to session hijacking and account takeover, compromising user confidentiality and control. There is no reported impact on integrity or availability. The vulnerability requires high privileges to exploit and does not require user interaction beyond accessing the page.

Upgrade WeGIA to version 3.7.3 or later, where this stored XSS vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory stating the fix is in version 3.7.3.