SB2026050782 - Multiple vulnerabilities in WeGIA



SB2026050782 - Multiple vulnerabilities in WeGIA

Published: May 7, 2026

Security Bulletin ID SB2026050782
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2026-45025)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.

The vulnerability exists due to cross-site scripting in html/atendido/etapa_processo.php when rendering etapa descriptions. A remote privileged user can inject malicious HTML or JavaScript into the description field to execute arbitrary JavaScript in victims' browsers.

The injected script is stored and executed when users access the "Etapas de um Processo" page, which can lead to session hijacking and account takeover.


2) Cross-site scripting (CVE-ID: CVE-2026-45026)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in victims' browsers.

The vulnerability exists due to cross-site scripting in html/atendido/processo_aceitacao.php when rendering user-controlled process description content. A remote privileged user can submit specially crafted input to execute arbitrary JavaScript in victims' browsers.

The injected script is stored and executed when users access the acceptance process page, which may enable session hijacking or account takeover.


3) Use of a One-Way Hash without a Salt (CVE-ID: CVE-2026-45027)

CWE-ID: CWE-759 - Use of a One-Way Hash without a Salt

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to use of a one-way hash without a salt in html/login.php when hashing and verifying user passwords during login. A remote attacker can obtain password hashes from the pessoa table and perform offline cracking to disclose sensitive information.

The password change flow in controle/FuncionarioControle.php follows the same unsalted SHA-256 hashing pattern.


Remediation

Install update from vendor's website.