SB20260423174 - Multiple vulnerabilities in WeGIA
Published: April 23, 2026 Updated: April 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-40282)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to cross-site scripting in intercorrencia_visualizar.php when rendering user-controlled names in Intercorrências notifications. A remote attacker can inject malicious HTML or JavaScript into the user name field to execute arbitrary JavaScript in a victim's browser.
User interaction is required when a user accesses the notification page and clicks the relevant notification entry.
2) Cross-site scripting (CVE-ID: CVE-2026-40283)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.
The vulnerability exists due to cross-site scripting in profile_paciente.php when rendering the user-supplied Nome field on the Informações Pacientes page. A remote privileged user can inject malicious HTML or JavaScript into this field to execute arbitrary JavaScript in victims' browsers.
The payload is stored and executed when patient information is viewed.
3) Cross-site scripting (CVE-ID: CVE-2026-40284)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.
The vulnerability exists due to improper neutralization of input during web page generation in listar_despachos.php when rendering stored Destinatário field data in the dispatch listing page. A remote privileged user can inject malicious JavaScript through the Destinatário field to execute arbitrary JavaScript in victims' browsers.
The issue is triggered when stored user-controlled data is inserted into the DOM using .html(), and it affects users who view the dispatch page.
4) SQL injection (CVE-ID: CVE-2026-40285)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to SQL injection in UsuarioDAO::obterUsuario() when handling a crafted cpf_usuario POST parameter in DespachoControle::verificarDespacho(). A remote user can send a specially crafted request to execute arbitrary SQL queries and disclose sensitive information.
Any valid authenticated session is sufficient, because extract($_REQUEST) can overwrite the session-derived user identity before it is used in the database query.
5) Cross-site scripting (CVE-ID: CVE-2026-40286)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the user's browser.
The vulnerability exists due to cross-site scripting in the Member Registration function when processing the Member Name field and rendering stored input on the contribuições page. A remote attacker can inject a malicious script payload to execute arbitrary script in the user's browser.
The injected payload is persistently stored in the database and is executed when a user navigates to the contribution control page.
6) Information Exposure Through an Error Message (CVE-ID: CVE-2026-42873)
CWE-ID: CWE-209 - Information Exposure Through an Error Message
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper error handling in docdependente_upload.php when uploading a malicious file. A remote user can submit a crafted file upload to disclose sensitive information.
The application returns verbose error messages that may reveal technical details such as permitted file extensions, maximum buffer sizes, or image processing libraries in use.
Remediation
Install update from vendor's website.
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-r6h8-7vxv-q8pp
- https://github.com/advisories/GHSA-r6h8-7vxv-q8pp
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x74c-gwj9-6cwr
- https://github.com/advisories/GHSA-x74c-gwj9-6cwr
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mccp-8446-phw5
- https://github.com/advisories/GHSA-mccp-8446-phw5
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-666r-v2m7-xgp9
- https://github.com/advisories/GHSA-666r-v2m7-xgp9
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-42rc-rvrx-cmmw
- https://github.com/advisories/GHSA-42rc-rvrx-cmmw
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mwc9-45h6-pw24
- https://dev.wegia.org:8100/WeGIA/html/funcionario/docdependente_upload.php