Plattform
php
Komponente
wegia
Behoben in
3.6.8
CVE-2026-33135 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting WeGIA, a web manager for charitable institutions. This vulnerability allows attackers to inject arbitrary JavaScript code into the application, potentially compromising user accounts and sensitive data. Versions 3.6.6 and earlier are vulnerable, and a fix is available in version 3.6.7.
The XSS vulnerability in WeGIA allows an attacker to execute malicious JavaScript code within the context of a user's browser session. This can lead to various attacks, including session hijacking, credential theft, and defacement of the WeGIA interface. An attacker could craft a malicious link containing the injected JavaScript payload and send it to a legitimate WeGIA user. Upon clicking the link, the JavaScript code would execute, granting the attacker control over the user's session. The potential impact extends to sensitive data managed within WeGIA, such as donor information, financial records, and beneficiary details, making this a high-risk vulnerability.
CVE-2026-33135 was publicly disclosed on 2026-03-20. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's severity is rated as CRITICAL (CVSS 9.3), indicating a high probability of exploitation if left unaddressed. It is not currently listed on the CISA KEV catalog.
Charitable institutions and organizations using WeGIA version 3.6.6 or earlier are at significant risk. This includes organizations relying on WeGIA for managing donor information, financial records, and other sensitive data. Shared hosting environments where multiple organizations share the same WeGIA instance are particularly vulnerable, as a compromise of one organization could potentially impact others.
• generic web: Use curl to test the novomemorandoo.php endpoint with a simple JavaScript payload in the sccs parameter (e.g., curl 'http://wegia-instance/?novomemorandoo.php&sccs=<script>alert(1)</script>').
• generic web: Examine access and error logs for requests containing suspicious JavaScript code in the sccs parameter.
• php: Review the novo_memorandoo.php file for the vulnerable code (line 273) and ensure proper sanitization/encoding of user input.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33135 is to immediately upgrade WeGIA to version 3.6.7 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and output encoding on the 'novo_memorandoo.php' endpoint. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting GET parameters can also provide a layer of protection. Regularly review and update WeGIA's configuration to ensure adherence to security best practices.
Aktualisieren Sie WeGIA auf Version 3.6.7 oder höher. Diese Version enthält eine Korrektur für die XSS-Schwachstelle. Das Update kann durchgeführt werden, indem die neue Version von der Website des Anbieters heruntergeladen oder der in der Anwendung integrierte Update-Mechanismus verwendet wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33135 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in WeGIA versions 3.6.6 and below, allowing attackers to inject JavaScript code.
Yes, if you are using WeGIA version 3.6.6 or earlier, you are vulnerable to this XSS attack.
Upgrade WeGIA to version 3.6.7 or later to resolve this vulnerability. Implement a WAF rule as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests it is likely to be targeted.
Refer to the WeGIA official website or security advisories for the latest information and updates regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.