SB20260423165 - Multiple vulnerabilities in WeGIA



SB20260423165 - Multiple vulnerabilities in WeGIA

Published: April 23, 2026 Updated: April 30, 2026

Security Bulletin ID SB20260423165
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2025-58452)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the listar_despachos.php endpoint when handling a crafted id_memorando parameter in a GET request. A remote attacker can send a specially crafted link to execute arbitrary script in the victim's browser.

User interaction is required to open the crafted request.


2) SQL injection (CVE-ID: CVE-2025-58453)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the exibe_anexo.php endpoint when processing the id_anexo parameter. A remote user can send a specially crafted request to disclose sensitive information.

The issue is blind time-based and may also be leveraged to cause delays in database responses.


3) SQL injection (CVE-ID: CVE-2025-58454)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the listar_despachos.php endpoint when handling the id_memorando parameter in GET requests. A remote user can send a specially crafted parameter value to disclose sensitive information.

Exploitation may also enable arbitrary SQL query execution and time-delay queries.


4) Arbitrary file upload (CVE-ID: CVE-2025-58159)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in /html/socio/sistema/controller/controla_xlsx.php when handling file uploads. A remote user can upload a crafted spreadsheet file with a .php extension and then access the uploaded file directly to execute arbitrary code.

The uploaded filename may include a random prefix in the server response.


5) Arbitrary file upload (CVE-ID: CVE-2025-58745)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in /html/socio/sistema/controller/controla_xlsx.php when handling uploaded Excel files. A remote user can upload a crafted PHP file with Excel magic bytes to execute arbitrary code.

The issue can be exploited by bypassing MIME-type-only validation that does not verify the file extension and real file content.


Remediation

Install update from vendor's website.