SB20260423165 - Multiple vulnerabilities in WeGIA
Published: April 23, 2026 Updated: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-58452)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the listar_despachos.php endpoint when handling a crafted id_memorando parameter in a GET request. A remote attacker can send a specially crafted link to execute arbitrary script in the victim's browser.
User interaction is required to open the crafted request.
2) SQL injection (CVE-ID: CVE-2025-58453)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the exibe_anexo.php endpoint when processing the id_anexo parameter. A remote user can send a specially crafted request to disclose sensitive information.
The issue is blind time-based and may also be leveraged to cause delays in database responses.
3) SQL injection (CVE-ID: CVE-2025-58454)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the listar_despachos.php endpoint when handling the id_memorando parameter in GET requests. A remote user can send a specially crafted parameter value to disclose sensitive information.
Exploitation may also enable arbitrary SQL query execution and time-delay queries.
4) Arbitrary file upload (CVE-ID: CVE-2025-58159)
CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in /html/socio/sistema/controller/controla_xlsx.php when handling file uploads. A remote user can upload a crafted spreadsheet file with a .php extension and then access the uploaded file directly to execute arbitrary code.
The uploaded filename may include a random prefix in the server response.
5) Arbitrary file upload (CVE-ID: CVE-2025-58745)
CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in /html/socio/sistema/controller/controla_xlsx.php when handling uploaded Excel files. A remote user can upload a crafted PHP file with Excel magic bytes to execute arbitrary code.
The issue can be exploited by bypassing MIME-type-only validation that does not verify the file extension and real file content.
Remediation
Install update from vendor's website.
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq9x-mfv2-x467
- https://github.com/advisories/GHSA-hq9x-mfv2-x467
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gg48-pg9f-39fx
- https://github.com/advisories/GHSA-gg48-pg9f-39fx
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-ghfh-g6rg-jmqf
- https://github.com/advisories/GHSA-ghfh-g6rg-jmqf
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wj2c-237g-cgqp
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq96-gvmx-qrwp