SB2026043092 - Multiple vulnerabilities in WeGIA

Security Bulletin ID SB2026043092

CSH Severity

High

Patch available

YES

Number of vulnerabilities 11

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2025-53938)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication in multiple endpoint handlers when handling crafted HTTP requests without any session cookies or authentication tokens. A remote attacker can send crafted HTTP requests to disclose sensitive information.

The issue affects /dao/verificar_recursos_cargo.php, /dao/exibir_cargo.php, /dao/verificar_modulos_visiveis.php, /dao/exibir_documento.php, and /dao/adicionar_documento.php.

2) SQL injection (CVE-ID: CVE-2025-53937)

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the /controle/control.php endpoint cargo parameter when handling requests to the control.php endpoint. A remote user can send a specially crafted cargo parameter value to execute arbitrary SQL commands.

3) Cross-site scripting (CVE-ID: CVE-2025-53936)

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the personalizacao_selecao.php endpoint when processing the nome_car parameter in POST requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the reflected payload to be executed in the victim's browser.

4) Cross-site scripting (CVE-ID: CVE-2025-53935)

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting (XSS) in the personalizacao_selecao.php endpoint when processing the id parameter in POST requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the reflected payload to be executed in the victim's browser.

5) Cross-site scripting (CVE-ID: CVE-2025-53934)

The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting (stored XSS) in the control.php endpoint parameter descricao_emergencia when processing a crafted POST request to /controle/control.php. A remote attacker can submit a specially crafted descricao_emergencia value to execute arbitrary script in a victim's browser.

User interaction is required when a user accesses the affected page containing the stored payload.

6) Cross-site scripting (CVE-ID: CVE-2025-53933)

The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to cross-site scripting (XSS) in the adicionar_enfermidade.php endpoint parameter nome when processing a crafted POST request to /html/saude/adicionar_enfermidade.php. A remote attacker can submit a specially crafted nome parameter value to execute arbitrary script code in a victim's browser.

User interaction is required when a user accesses the affected page containing the stored payload.

7) SQL injection (CVE-ID: CVE-2025-53823)

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the processa_deletar_socio.php endpoint parameter id_socio when handling crafted POST requests. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.

The issue is described as a blind time-based SQL injection.

8) SQL injection (CVE-ID: CVE-2025-53946)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the /html/saude/profile_paciente.php endpoint when processing the id_fichamedica parameter. A remote user can send a specially crafted request to disclose sensitive information.

The issue can be used to enumerate database schemas, tables, users, and versions.

9) Cross-site scripting (CVE-ID: CVE-2025-53820)

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser and disclose sensitive information.

The vulnerability exists due to cross-site scripting (XSS) in the index.php endpoint erro parameter when handling a crafted GET request. A remote attacker can supply a specially crafted erro parameter value to execute arbitrary script in the victim's browser and disclose sensitive information.

User interaction is required to load the crafted request.

10) Open redirect (CVE-ID: CVE-2025-53821)

The vulnerability allows a remote attacker to redirect users to an arbitrary external site.

The vulnerability exists due to url redirection to an untrusted site in the control.php endpoint when handling requests containing the nextPage parameter. A remote attacker can supply a crafted URL in the nextPage parameter to redirect users to an arbitrary external site.

User interaction is required to follow the crafted link.

11) Cross-site scripting (CVE-ID: CVE-2025-53822)

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting (XSS) in the relatorio_geracao.php endpoint when processing the tipo_relatorio parameter. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required to trigger the malicious payload.

Remediation

Install update from vendor's website.

SB2026043092 - Multiple vulnerabilities in WeGIA

Breakdown by Severity

Description

Remediation

References

Please verify you're human