SB2025021748 - Multiple vulnerabilities in WeGIA
Published: February 17, 2025 Updated: May 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) SQL injection (CVE-ID: CVE-2025-27096)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to SQL injection in the html/personalizacao_upload.php endpoint when processing the POST parameter id_campo. A remote user can send a specially crafted POST request to execute arbitrary SQL queries and disclose sensitive information.
2) SQL injection (CVE-ID: CVE-2025-26617)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the historico_paciente.php endpoint when handling the id_fichamedica GET parameter. A remote attacker can send a specially crafted request to execute arbitrary SQL queries and disclose sensitive information.
The endpoint code continues executing after redirect logic, which allows exploitation even when the requester is not logged in.
3) SQL injection (CVE-ID: CVE-2025-26614)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to SQL injection in the deletar_documento.php endpoint when handling a crafted id_cargo parameter in a GET request. A remote user can send a specially crafted request to execute arbitrary SQL queries and disclose sensitive information.
4) OS Command Injection (CVE-ID: CVE-2025-26613)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an os command in the gerenciar_backup.php endpoint when handling the file parameter in POST requests. A remote attacker can send a specially crafted request to execute arbitrary code.
The issue can be exploited without being logged in because execution continues after the session check and redirect logic.
5) Path traversal (CVE-ID: CVE-2025-26615)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the examples.php endpoint when processing the src parameter in POST requests. A remote attacker can send a specially crafted request to disclose sensitive information.
The issue can expose config.php and other files outside the intended directory, and exposed database credentials may enable unauthorized access to the database.
6) Path traversal (CVE-ID: CVE-2025-26616)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the exportar_dump.php endpoint when processing the file parameter in POST requests. A remote attacker can send a specially crafted request to disclose sensitive information.
The issue can be exploited without being logged in because execution continues after the redirect code following session validation.
Remediation
Install update from vendor's website.
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j856-wh9m-9vpm
- https://github.com/advisories/GHSA-j856-wh9m-9vpm
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-f654-c5r5-jx77
- https://github.com/advisories/GHSA-f654-c5r5-jx77
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3qhx-gfqj-vm2j
- https://github.com/advisories/GHSA-3qhx-gfqj-vm2j
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g3w6-m6w8-p6r2
- https://github.com/advisories/GHSA-g3w6-m6w8-p6r2
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-p5wx-pv8j-f96h
- https://github.com/DataTables/DataTables/blob/master/examples/resources/examples.php
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xxqg-p22h-3f32