SB2026050782 - Multiple vulnerabilities in WeGIA
Published: May 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-45025)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.
The vulnerability exists due to cross-site scripting in html/atendido/etapa_processo.php when rendering etapa descriptions. A remote privileged user can inject malicious HTML or JavaScript into the description field to execute arbitrary JavaScript in victims' browsers.
The injected script is stored and executed when users access the "Etapas de um Processo" page, which can lead to session hijacking and account takeover.
2) Cross-site scripting (CVE-ID: CVE-2026-45026)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.
The vulnerability exists due to cross-site scripting in html/atendido/processo_aceitacao.php when rendering user-controlled process description content. A remote privileged user can submit specially crafted input to execute arbitrary JavaScript in victims' browsers.
The injected script is stored and executed when users access the acceptance process page, which may enable session hijacking or account takeover.
3) Use of a One-Way Hash without a Salt (CVE-ID: CVE-2026-45027)
CWE-ID: CWE-759 - Use of a One-Way Hash without a Salt
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of a one-way hash without a salt in html/login.php when hashing and verifying user passwords during login. A remote attacker can obtain password hashes from the pessoa table and perform offline cracking to disclose sensitive information.
The password change flow in controle/FuncionarioControle.php follows the same unsalted SHA-256 hashing pattern.
Remediation
Install update from vendor's website.