SB20250327163 - Multiple vulnerabilities in WeGIA



SB20250327163 - Multiple vulnerabilities in WeGIA

Published: March 27, 2025 Updated: May 2, 2026

Security Bulletin ID SB20250327163
CSH Severity
High
Patch available
YES
Number of vulnerabilities 30
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 3% Medium 93% Low 3%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 30 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2025-30366)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in personalizacao.php when processing input in the titulo, subtitulo, conheça, objetivo, and rodape parameters. A remote privileged user can submit specially crafted input to execute arbitrary script in a user's browser.

User interaction is required when a victim accesses the home page or personalizacao.php.


2) SQL injection (CVE-ID: CVE-2025-30365)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the query parameter of the /WeGIA/html/socio/sistema/controller/query_geracao_auto.php endpoint when handling POST requests. A remote user can send a specially crafted query parameter to execute arbitrary SQL commands.


3) SQL injection (CVE-ID: CVE-2025-30364)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the remuneracao.php endpoint when processing the id_funcionario parameter. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.

The issue is blind time-based and may be used to exfiltrate confidential data or cause a denial of service through time-delay queries.


4) Cross-site scripting (CVE-ID: CVE-2025-30362)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in html/geral/documentos_funcionario.php when processing the id parameter. A remote attacker can submit a specially crafted input that is stored by the application to execute arbitrary script code in the victim's browser.

User interaction is required to load the compromised page.


5) Arbitrary file upload (CVE-ID: CVE-2025-22133)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in /WeGIA/html/socio/sistema/controller/controla_xlsx.php when handling file uploads. A remote user can upload a specially crafted .phar file to execute arbitrary code.

The uploaded file can then be executed by the server from a reachable file path.


6) Cross-site scripting (CVE-ID: CVE-2025-22139)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in the configuracao_geral.php endpoint when processing the msg parameter. A remote attacker can send a specially crafted request to execute arbitrary script code in the victim's browser.

User interaction is required for the victim to load the crafted request.


7) SQL injection (CVE-ID: CVE-2025-22140)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the /html/funcionario/dependente_listar_um.php endpoint when processing the id_dependente parameter. A remote user can send a specially crafted parameter value to execute arbitrary SQL commands.

The issue is exploitable as a blind time-based SQL injection.


8) SQL injection (CVE-ID: CVE-2025-22141)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the /dao/verificar_recursos_cargo.php endpoint when processing the cargo parameter. A remote user can send a specially crafted parameter value to execute arbitrary SQL commands.

The issue is exploitable as a blind time-based SQL injection.


9) Cross-site scripting (CVE-ID: CVE-2025-22143)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the listar_permissoes.php endpoint when processing the msg_e parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in a victim's browser.

User interaction is required for the victim to load the crafted request.


10) Cross-site scripting (CVE-ID: CVE-2025-22596)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in the modulos_visiveis.php endpoint when processing the msg_c parameter. A remote attacker can send a specially crafted request to execute arbitrary script code in the victim's browser.

User interaction is required for the crafted response to be rendered in a browser.


11) Cross-site scripting (CVE-ID: CVE-2025-22597)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a user's browser.

The vulnerability exists due to cross-site scripting in the CobrancaController.php endpoint when processing the local_recepcao parameter. A remote attacker can submit a specially crafted parameter value to execute arbitrary script code in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


12) Cross-site scripting (CVE-ID: CVE-2025-22598)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the cadastrarSocio.php endpoint when processing the nome parameter. A remote attacker can submit a specially crafted input to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


13) Cross-site scripting (CVE-ID: CVE-2025-22599)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the home.php endpoint when processing the msg_c parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the reflected payload to be rendered in the victim's browser.


14) Cross-site scripting (CVE-ID: CVE-2025-22600)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the configuracao_doacao.php endpoint when processing the avulso parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the crafted response to be rendered in a browser.


15) Cross-site scripting (CVE-ID: CVE-2025-22613)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a user's browser.

The vulnerability exists due to cross-site scripting in the informacao_adicional.php endpoint parameter descricao when processing user-supplied input. A remote attacker can submit a specially crafted descricao value to execute arbitrary script code in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


16) Cross-site scripting (CVE-ID: CVE-2025-22614)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the dependente_editarInfoPessoal.php endpoint when processing the nome and SobrenomeForm parameters. A remote attacker can submit crafted input to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


17) Cross-site scripting (CVE-ID: CVE-2025-22615)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the Cadastro_Atendido.php endpoint when processing the cpf parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the crafted response to be rendered in a browser.


18) Cross-site scripting (CVE-ID: CVE-2025-22616)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a user's browser.

The vulnerability exists due to cross-site scripting in the dependente_parentesco_adicionar.php endpoint when processing the descricao parameter. A remote attacker can submit a specially crafted descricao value to execute arbitrary script code in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


19) Cross-site scripting (CVE-ID: CVE-2025-22617)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to cross-site scripting in the editar_socio.php endpoint when processing the socio parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script code in a victim's browser.

User interaction is required for the crafted response to be rendered in the victim's browser.


20) Cross-site scripting (CVE-ID: CVE-2025-22618)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a user's browser.

The vulnerability exists due to cross-site scripting in the adicionar_cargo.php endpoint when processing the cargo parameter. A remote attacker can submit a specially crafted value to execute arbitrary script code in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


21) Cross-site scripting (CVE-ID: CVE-2025-22619)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to improper input validation in editar_permissoes.php when handling the msg_c parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script code in the victim's browser.

User interaction is required for the crafted response to be rendered in a browser.


22) Cross-site scripting (CVE-ID: CVE-2025-23030)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the cadastro_funcionario.php endpoint when processing the cpf parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in a victim's browser.

User interaction is required for the victim to load the crafted request.


23) Cross-site scripting (CVE-ID: CVE-2025-23031)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the adicionar_alergia.php endpoint when processing the nome parameter. A remote attacker can submit a specially crafted value to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


24) Cross-site scripting (CVE-ID: CVE-2025-23032)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the adicionar_escala.php endpoint when processing the escala parameter. A remote attacker can submit a specially crafted value to execute arbitrary script in a victim's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


25) Cross-site scripting (CVE-ID: CVE-2025-23033)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the adicionar_situacao.php endpoint when processing the situacao parameter. A remote attacker can submit a specially crafted input to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


26) Cross-site scripting (CVE-ID: CVE-2025-23034)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the tags.php endpoint when processing the msg_e parameter. A remote attacker can send a specially crafted request to execute arbitrary script in a victim's browser.

User interaction is required for the malicious response to be rendered in the victim's browser.


27) Cross-site scripting (CVE-ID: CVE-2025-23035)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the adicionar_tipo_quadro_horario.php endpoint when processing the tipo parameter. A remote attacker can submit a specially crafted tipo value to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


28) Cross-site scripting (CVE-ID: CVE-2025-23036)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the pre_cadastro_funcionario.php endpoint when processing the msg_e parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the victim to load the crafted request.


29) Cross-site scripting (CVE-ID: CVE-2025-23037)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the control.php endpoint when processing the cargo parameter. A remote attacker can submit a specially crafted value to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


30) Cross-site scripting (CVE-ID: CVE-2025-23038)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the remuneracao.php endpoint when processing the descricao parameter. A remote attacker can submit a specially crafted descricao value to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


Remediation

Install update from vendor's website.

References