SB20260423163 - Multiple vulnerabilities in WeGIA
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in the pessoa/editar_info_pessoal.php endpoint when handling user-supplied parameters. A remote attacker can send a specially crafted request to execute arbitrary script in a victim's browser.
The issue is reflected and can be triggered through any parameter in the request URL.
2) SQL injection (CVE-ID: CVE-2025-62360)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the /html/funcionario/dependente_documento.php endpoint when processing a POST request containing the id_dependente parameter. A remote attacker can send a specially crafted POST request to disclose sensitive information.
Successful exploitation requires that the supplied id_dependente value exists in the database.
3) SQL injection (CVE-ID: CVE-2025-62177)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the /html/funcionario/dependente_listar.php endpoint when handling POST requests containing the id_funcionario parameter. A remote privileged user can send a specially crafted id_funcionario parameter value to execute arbitrary SQL commands.
4) Cross-site scripting (CVE-ID: CVE-2025-62178)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the /html/atendido/cadastro_atendido_parentesco_pessoa_nova.php endpoint when handling the idatendido parameter in GET requests. A remote privileged user can send a specially crafted request to execute arbitrary JavaScript in the victim's browser.
User interaction is required to access the crafted URL.
5) SQL injection (CVE-ID: CVE-2025-62179)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the /html/funcionario/cadastro_funcionario_pessoa_existente.php endpoint when handling the cpf parameter. A remote privileged user can send a specially crafted cpf parameter value to execute arbitrary SQL commands.
CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of script-related html tags in pessoa/editar_info_pessoal.php when handling a crafted GET request parameter. A remote attacker can supply a specially crafted parameter value to execute arbitrary script in the victim's browser.
CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of script-related html tags in pessoa/editar_info_pessoal.php when handling a crafted action parameter in a GET request. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.
8) Cross-site scripting (CVE-ID: CVE-2025-62358)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the /html/configuracao/configuracao_geral.php endpoint when handling the log parameter. A remote attacker can send a specially crafted URL to execute arbitrary JavaScript in the victim's browser.
If the victim is logged in and the session cookie is not flagged HttpOnly, exploitation can lead to session hijacking and account takeover. User interaction is required to open the crafted URL.
9) Open redirect (CVE-ID: N/A)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to redirect users to arbitrary external sites.
The vulnerability exists due to url redirection to untrusted site in /controle/control.php when processing the nextPage parameter. A remote privileged user can craft a trusted-looking link to redirect users to arbitrary external sites.
User interaction is required to follow the crafted link.
Remediation
Install update from vendor's website.
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h273-wj4q-9933
- https://github.com/advisories/GHSA-h273-wj4q-9933
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m4j6-q5m4-x24g
- https://github.com/advisories/GHSA-m4j6-q5m4-x24g
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-4wrg-g9cj-hjcx
- https://github.com/advisories/GHSA-4wrg-g9cj-hjcx
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-fj32-779r-28qv
- https://github.com/advisories/GHSA-fj32-779r-28qv
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x36x-x5j4-wfjf
- https://github.com/advisories/GHSA-x36x-x5j4-wfjf
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wqjv-fhc9-h7hm
- https://github.com/advisories/GHSA-wqjv-fhc9-h7hm
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jmm7-rr7w-f223
- https://github.com/advisories/GHSA-jmm7-rr7w-f223
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g6hr-2rhx-f8q4
- https://github.com/advisories/GHSA-g6hr-2rhx-f8q4
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wgv2-wqvm-jchf
- https://github.com/advisories/GHSA-wgv2-wqvm-jchf