SB20260423166 - Multiple vulnerabilities in WeGIA
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-67496)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the /WeGIA/html/geral/configurar_senhas.php endpoint when rendering employee names inside the employee selection dropdown. A remote user can store a crafted employee name to execute arbitrary JavaScript in the victim's browser.
The issue is triggered when the password configuration page loads and displays previously stored employee data.
2) Weak password requirements (CVE-ID: CVE-2025-67497)
CWE-ID: CWE-521 - Weak Password Requirements
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to weak password requirements in the user creation and password assignment functionality when creating accounts or assigning passwords. A remote attacker can guess weak credentials for affected accounts to disclose sensitive information.
Exploitation depends on an administrator having created or assigned an extremely weak and predictable password to an account.
3) SQL injection (CVE-ID: CVE-2025-67501)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the /html/matPat/editar_categoria.php endpoint when processing the id_categoria GET parameter. A remote privileged user can send a specially crafted request to execute arbitrary SQL commands.
4) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.
The vulnerability exists due to cross-site scripting in configurar_senhas.php when processing the verificacao GET parameter. A remote attacker can send a specially crafted link to execute arbitrary script code in the victim's browser.
User interaction is required to open a crafted request.
Remediation
Install update from vendor's website.
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9843-qm67-73h2
- https://github.com/advisories/GHSA-9843-qm67-73h2
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6pxj-742f-cf62
- https://github.com/advisories/GHSA-6pxj-742f-cf62
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hj2x-qfm3-2869
- https://github.com/advisories/GHSA-hj2x-qfm3-2869
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r9mh-4hc4-h2p3
- https://github.com/advisories/GHSA-r9mh-4hc4-h2p3