SB2026043093 - Multiple vulnerabilities in WeGIA
Published: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-53377)
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the cadastro_dependente_pessoa_nova.php endpoint when processing the id_funcionario parameter. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.
User interaction is required for the crafted response to be rendered in a browser.
2) Cross-site scripting (CVE-ID: CVE-2025-53525)
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting (XSS) in the profile_familiar.php endpoint when handling the id_dependente parameter in GET requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.
User interaction is required for the crafted request to be processed in the victim's browser.
3) Cross-site scripting (CVE-ID: CVE-2025-53526)
The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in novo_memorando.php when processing memo content that is later rendered in listar_memorandos_antigos.php. A remote attacker can submit a specially crafted memo to execute arbitrary script in a victim's browser.
User interaction is required when a user loads the old memo listing page.
4) SQL injection (CVE-ID: CVE-2025-53529)
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the html/funcionario/profile_funcionario.php endpoint when processing the id_funcionario parameter in SQL queries. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.
Remediation
Install update from vendor's website.
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qgrq-qjq6-h6gj
- https://github.com/advisories/GHSA-qgrq-qjq6-h6gj
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-982x-v58q-6qpj
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-46fm-hx2r-69fg
- https://github.com/advisories/GHSA-46fm-hx2r-69fg
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-rrj6-pj6w-8j2r
- https://github.com/advisories/GHSA-rrj6-pj6w-8j2r