CVE-2024-57030
Published: 17 January 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
Wegia versions prior to 3.2.0 contain a Cross-Site Scripting (XSS) vulnerability in the /geral/documentos_funcionario.php component, exploitable through the id parameter. Tracked as CVE-2024-57030 and published on 2025-01-17, this issue corresponds to CWE-79 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers require no privileges to exploit this vulnerability over the network, though it demands high attack complexity and no user interaction. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability within the affected application.
Mitigation involves upgrading to Wegia 3.2.0 or later. Additional details, including proof-of-concept exploits, are documented in the research repository at https://github.com/nmmorette/vulnerability-research/tree/main/CVE-2024-57030, with the official project site available at https://www.wegia.org/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability enables exploitation of a public-facing web application (T1190) and facilitates stealing web session cookies from authenticated users via injected JavaScript (T1539).