SB20260423167 - Multiple vulnerabilities in WeGIA



SB20260423167 - Multiple vulnerabilities in WeGIA

Published: April 23, 2026

Security Bulletin ID SB20260423167
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 10% Low 90%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) SQL injection (CVE-ID: CVE-2026-23723)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the Atendido_ocorrenciaControle endpoint when handling the id_memorando parameter. A remote privileged user can send a specially crafted request to disclose sensitive information.

In misconfigured environments where the database FILE privilege is enabled, local file contents may also be exposed.


2) Cross-site scripting (CVE-ID: CVE-2026-23722)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code in the victim's browser and perform ui redressing.

The vulnerability exists due to cross-site scripting in html/memorando/insere_despacho.php when processing the id_memorando GET parameter. A remote attacker can send a specially crafted link to execute arbitrary code in the victim's browser and perform ui redressing.

The injected content is reflected into the HTML response, and the advisory demonstrates that opening a crafted link can overlay the application interface with attacker-controlled iframe content.


3) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2026-23731)

CWE-ID: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform ui redressing attacks and trigger unauthorized actions.

The vulnerability exists due to improper restriction of rendered ui layers or frames in the web application when handling framed page loads. A remote attacker can embed the application in a malicious page and trick a user into clicking disguised elements to perform ui redressing attacks and trigger unauthorized actions.

User interaction is required, and exploitation relies on the victim having an active session.


4) Open redirect (CVE-ID: CVE-2026-23730)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to arbitrary external websites.

The vulnerability exists due to url redirection to an untrusted site in the control.php endpoint when handling the nextPage parameter with metodo=listarTodos and nomeClasse=ProdutoControle. A remote user can send a specially crafted request to redirect users to arbitrary external websites.

User interaction is required for the victim to follow the crafted link.


5) Open redirect (CVE-ID: CVE-2026-23729)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to arbitrary external websites.

The vulnerability exists due to url redirection to an untrusted site in the /WeGIA/controle/control.php endpoint when processing the nextPage parameter with metodo=listarDescricao and nomeClasse=ProdutoControle. A remote user can send a crafted request containing an external URL in the nextPage parameter to redirect users to arbitrary external websites.

User interaction is required for the redirect to occur.


6) Open redirect (CVE-ID: CVE-2026-23728)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to arbitrary external websites.

The vulnerability exists due to url redirection to an untrusted site in the /WeGIA/controle/control.php endpoint when processing the nextPage parameter with metodo=listarTodos and nomeClasse=DestinoControle. A remote user can send a specially crafted request to redirect users to arbitrary external websites.

User interaction is required to follow the crafted redirect.


7) Open redirect (CVE-ID: CVE-2026-23727)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to arbitrary external websites.

The vulnerability exists due to url redirection to an untrusted site in the control.php endpoint when processing the nextPage parameter with metodo=listarTodos and nomeClasse=TipoSaidaControle. A remote user can send a specially crafted request to redirect users to arbitrary external websites.

User interaction is required for the victim to follow the crafted link or request.


8) Open redirect (CVE-ID: CVE-2026-23726)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to arbitrary external websites.

The vulnerability exists due to url redirection to an untrusted site in the /WeGIA/controle/control.php endpoint when processing the nextPage parameter with metodo=listarTodos and nomeClasse=TipoEntradaControle. A remote user can send a crafted request with a malicious nextPage value to redirect users to arbitrary external websites.

User interaction is required for the redirect to be followed.


9) Cross-site scripting (CVE-ID: CVE-2026-23725)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in the Adopters Information table in html/pet/adotantes/informacao_adotantes.php when rendering adopter records containing user-controlled nome input. A remote user can save a specially crafted adopter name to execute arbitrary JavaScript in the victim's browser.

The injected payload is stored and executes automatically when the Adopters Information page is loaded.


10) Cross-site scripting (CVE-ID: CVE-2026-23724)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in the "Atendido" selection dropdown within html/atendido/cadastro_ocorrencia.php when rendering database-backed user-controlled data. A remote user can store a crafted payload in an Atendido value to execute arbitrary JavaScript in the victim's browser.

The issue is triggered when the occurrence registration page loads and renders the stored value inside the dropdown.


Remediation

Install update from vendor's website.