SB20260423164 - Multiple vulnerabilities in WeGIA



SB20260423164 - Multiple vulnerabilities in WeGIA

Published: April 23, 2026 Updated: April 30, 2026

Security Bulletin ID SB20260423164
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 63% Low 38%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2025-62359)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the /pet/profile_pet.php endpoint when processing the id_pet parameter in a GET request. A remote attacker can send a specially crafted link to execute arbitrary script in a victim's browser.

User interaction is required to open the crafted link.


2) Improper Authentication (CVE-ID: CVE-2025-61665)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper authentication in get_relatorios_socios.php endpoint when handling crafted GET requests to the member reports endpoint. A remote attacker can send a specially crafted request to disclose sensitive information.

Exposed data may include full names, phone numbers, CPF numbers, financial amounts, email addresses, and membership status.


3) Open redirect (CVE-ID: CVE-2025-61606)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to arbitrary external domains.

The vulnerability exists due to url redirection to an untrusted site in the control.php endpoint when processing the nextPage parameter in requests to metodo=listarUm with nomeClasse=FuncionarioControle. A remote user can send a crafted request with a malicious nextPage value to redirect users to arbitrary external domains.

User interaction is required for the redirect to occur.


4) Open redirect (CVE-ID: CVE-2025-62361)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to arbitrary external domains.

The vulnerability exists due to url redirection to untrusted site in the control.php endpoint when handling the nextPage parameter in requests to metodo=listarTodos and nomeClasse=AlmoxarifeControle. A remote user can send a specially crafted request containing an external URL to redirect users to arbitrary external domains.

User interaction is required for a victim to follow the malicious redirect.


5) SQL injection (CVE-ID: CVE-2025-61605)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the /pet/profile_pet.php endpoint when processing the id_pet parameter. A remote user can send a specially crafted request to execute arbitrary SQL commands.


6) Cross-site request forgery (CVE-ID: CVE-2025-61604)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform unauthorized deletion actions.

The vulnerability exists due to cross-site request forgery in the AlmoxarifadoControle class delete functionality on the control.php endpoint when handling crafted GET requests. A remote user can trick a victim into visiting a crafted page or link to perform unauthorized deletion actions.

User interaction is required to trigger the crafted request.


7) SQL injection (CVE-ID: CVE-2025-61603)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the /controle/control.php endpoint descricao parameter when handling requests. A remote user can send a specially crafted request to execute arbitrary SQL commands.

The issue is exploitable through blind time-based SQL injection.


8) SQL injection (CVE-ID: CVE-2025-59939)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary SQL commands in the application database.

The vulnerability exists due to SQL injection in the control.php endpoint in the ProdutoControle::excluir method when handling requests with the id_produto parameter. A remote user can send a specially crafted request to execute arbitrary SQL commands in the application database.


Remediation

Install update from vendor's website.