SB2026043092 - Multiple vulnerabilities in WeGIA



SB2026043092 - Multiple vulnerabilities in WeGIA

Published: April 30, 2026 Updated: May 2, 2026

Security Bulletin ID SB2026043092
CSH Severity
High
Patch available
YES
Number of vulnerabilities 15
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 7% Medium 93%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 15 vulnerabilities.


1) Missing Authentication for Critical Function (CVE-ID: CVE-2025-53938)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication in multiple endpoint handlers when handling crafted HTTP requests without any session cookies or authentication tokens. A remote attacker can send crafted HTTP requests to disclose sensitive information.

The issue affects /dao/verificar_recursos_cargo.php, /dao/exibir_cargo.php, /dao/verificar_modulos_visiveis.php, /dao/exibir_documento.php, and /dao/adicionar_documento.php.


2) SQL injection (CVE-ID: CVE-2025-53937)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the /controle/control.php endpoint cargo parameter when handling requests to the control.php endpoint. A remote user can send a specially crafted cargo parameter value to execute arbitrary SQL commands.


3) Cross-site scripting (CVE-ID: CVE-2025-53936)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the personalizacao_selecao.php endpoint when processing the nome_car parameter in POST requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the reflected payload to be executed in the victim's browser.


4) Cross-site scripting (CVE-ID: CVE-2025-53935)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting (XSS) in the personalizacao_selecao.php endpoint when processing the id parameter in POST requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the reflected payload to be executed in the victim's browser.


5) Cross-site scripting (CVE-ID: CVE-2025-53934)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting (stored XSS) in the control.php endpoint parameter descricao_emergencia when processing a crafted POST request to /controle/control.php. A remote attacker can submit a specially crafted descricao_emergencia value to execute arbitrary script in a victim's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


6) Cross-site scripting (CVE-ID: CVE-2025-53933)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to cross-site scripting (XSS) in the adicionar_enfermidade.php endpoint parameter nome when processing a crafted POST request to /html/saude/adicionar_enfermidade.php. A remote attacker can submit a specially crafted nome parameter value to execute arbitrary script code in a victim's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


7) SQL injection (CVE-ID: CVE-2025-53823)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the processa_deletar_socio.php endpoint parameter id_socio when handling crafted POST requests. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.

The issue is described as a blind time-based SQL injection.


8) SQL injection (CVE-ID: CVE-2025-53946)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the /html/saude/profile_paciente.php endpoint when processing the id_fichamedica parameter. A remote user can send a specially crafted request to disclose sensitive information.

The issue can be used to enumerate database schemas, tables, users, and versions.


9) Cross-site scripting (CVE-ID: CVE-2025-53820)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser and disclose sensitive information.

The vulnerability exists due to cross-site scripting (XSS) in the index.php endpoint erro parameter when handling a crafted GET request. A remote attacker can supply a specially crafted erro parameter value to execute arbitrary script in the victim's browser and disclose sensitive information.

User interaction is required to load the crafted request.


10) Open redirect (CVE-ID: CVE-2025-53821)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to redirect users to an arbitrary external site.

The vulnerability exists due to url redirection to an untrusted site in the control.php endpoint when handling requests containing the nextPage parameter. A remote attacker can supply a crafted URL in the nextPage parameter to redirect users to an arbitrary external site.

User interaction is required to follow the crafted link.


11) Cross-site scripting (CVE-ID: CVE-2025-53822)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting (XSS) in the relatorio_geracao.php endpoint when processing the tipo_relatorio parameter. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required to trigger the malicious payload.


12) Cross-site scripting (CVE-ID: CVE-2025-53932)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the cadastro_adotante.php endpoint when processing the cpf parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

User interaction is required for the victim to load the crafted request.


13) Cross-site scripting (CVE-ID: CVE-2025-53931)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the adicionar_raca.php endpoint when processing the raca parameter. A remote attacker can submit a specially crafted raca value to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


14) Cross-site scripting (CVE-ID: CVE-2025-53930)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the adicionar_especie.php endpoint when processing the especie parameter. A remote attacker can submit a specially crafted value to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the affected page containing the stored payload.


15) Cross-site scripting (CVE-ID: CVE-2025-53929)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the adicionar_cor.php endpoint when processing the cor parameter. A remote attacker can submit a specially crafted POST request to execute arbitrary script in a user's browser.

User interaction is required when a user accesses the cadastro_pet.php page containing the stored payload.


Remediation

Install update from vendor's website.

References