SB20260423163 - Multiple vulnerabilities in WeGIA



SB20260423163 - Multiple vulnerabilities in WeGIA

Published: April 23, 2026

Security Bulletin ID SB20260423163
CSH Severity
High
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 11% Medium 44% Low 44%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 vulnerabilities.


1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the pessoa/editar_info_pessoal.php endpoint when handling user-supplied parameters. A remote attacker can send a specially crafted request to execute arbitrary script in a victim's browser.

The issue is reflected and can be triggered through any parameter in the request URL.


2) SQL injection (CVE-ID: CVE-2025-62360)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the /html/funcionario/dependente_documento.php endpoint when processing a POST request containing the id_dependente parameter. A remote attacker can send a specially crafted POST request to disclose sensitive information.

Successful exploitation requires that the supplied id_dependente value exists in the database.


3) SQL injection (CVE-ID: CVE-2025-62177)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the /html/funcionario/dependente_listar.php endpoint when handling POST requests containing the id_funcionario parameter. A remote privileged user can send a specially crafted id_funcionario parameter value to execute arbitrary SQL commands.


4) Cross-site scripting (CVE-ID: CVE-2025-62178)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in the /html/atendido/cadastro_atendido_parentesco_pessoa_nova.php endpoint when handling the idatendido parameter in GET requests. A remote privileged user can send a specially crafted request to execute arbitrary JavaScript in the victim's browser.

User interaction is required to access the crafted URL.


5) SQL injection (CVE-ID: CVE-2025-62179)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the /html/funcionario/cadastro_funcionario_pessoa_existente.php endpoint when handling the cpf parameter. A remote privileged user can send a specially crafted cpf parameter value to execute arbitrary SQL commands.


6) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-62597)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in pessoa/editar_info_pessoal.php when handling a crafted GET request parameter. A remote attacker can supply a specially crafted parameter value to execute arbitrary script in the victim's browser.


7) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-62598)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in pessoa/editar_info_pessoal.php when handling a crafted action parameter in a GET request. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.


8) Cross-site scripting (CVE-ID: CVE-2025-62358)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in the /html/configuracao/configuracao_geral.php endpoint when handling the log parameter. A remote attacker can send a specially crafted URL to execute arbitrary JavaScript in the victim's browser.

If the victim is logged in and the session cookie is not flagged HttpOnly, exploitation can lead to session hijacking and account takeover. User interaction is required to open the crafted URL.


9) Open redirect (CVE-ID: N/A)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to arbitrary external sites.

The vulnerability exists due to url redirection to untrusted site in /controle/control.php when processing the nextPage parameter. A remote privileged user can craft a trusted-looking link to redirect users to arbitrary external sites.

User interaction is required to follow the crafted link.


Remediation

Install update from vendor's website.