SB2026043093 - Multiple vulnerabilities in WeGIA
Published: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-53377)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the cadastro_dependente_pessoa_nova.php endpoint when processing the id_funcionario parameter. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.
User interaction is required for the crafted response to be rendered in a browser.
2) Cross-site scripting (CVE-ID: CVE-2025-53525)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting (XSS) in the profile_familiar.php endpoint when handling the id_dependente parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.
User interaction is required for the crafted request to be processed in the victim's browser.
3) Cross-site scripting (CVE-ID: CVE-2025-53526)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in novo_memorando.php when processing memo content that is later rendered in listar_memorandos_antigos.php. A remote attacker can submit a specially crafted memo to execute arbitrary script in a victim's browser.
User interaction is required when a user loads the old memo listing page.
4) SQL injection (CVE-ID: CVE-2025-53529)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the html/funcionario/profile_funcionario.php endpoint when processing the id_funcionario parameter in SQL queries. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.
Remediation
Install update from vendor's website.
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qgrq-qjq6-h6gj
- https://github.com/advisories/GHSA-qgrq-qjq6-h6gj
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-982x-v58q-6qpj
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-46fm-hx2r-69fg
- https://github.com/advisories/GHSA-46fm-hx2r-69fg
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rrj6-pj6w-8j2r
- https://github.com/advisories/GHSA-rrj6-pj6w-8j2r