Wegia
Monthly
Information disclosure in WeGIA versions prior to 3.6.10 allows authenticated remote attackers to obtain sensitive technical details through overly descriptive error messages in the file upload endpoint (funcionario/docdependente_upload.php), expanding the attack surface for subsequent exploitation attempts.
SQL injection in WeGIA before 3.6.6.
WeGIA is a web manager for charitable institutions. versions up to 3.6.6 is affected by sql injection (CVSS 8.8).
WeGIA 3.6.5 allows unauthenticated remote attackers to read arbitrary files on the server through symlink traversal in backup database extraction functionality. When processing tar.gz archives, the application fails to validate whether extracted members are symbolic links before reading their contents, enabling an attacker to access sensitive files like database credentials or configuration data. No patch is currently available for this vulnerability.
Authentication bypass via unsafe extract() function in WeGIA before 3.6.5. The extract() call on user-controlled data allows overwriting authentication variables. EPSS 0.7% with PoC available.
Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.
Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.php script lacks authentication, allowing unauthorized access. PoC available.
WeGIA prior to version 3.6.2 lacks framing protection headers (X-Frame-Options and Content-Security-Policy), allowing attackers to perform clickjacking attacks by embedding the application within malicious web pages to trick users into unintended actions. Public exploit code exists for this vulnerability, affecting charitable institutions using vulnerable versions of the web manager.
WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability. The flaw is resolved in version 3.6.2 and later.
WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks while maintaining the appearance of a trusted WeGIA domain. The vulnerability is resolved in WeGIA 3.6.2 and later versions.
WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to properly validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, enabling attackers to conduct phishing campaigns and credential harvesting attacks while leveraging the trust associated with the legitimate WeGIA domain. Update to version 3.6.2 or later to remediate this issue.
WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external websites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks that abuse the trusted WeGIA domain. The vulnerability is resolved in version 3.6.2.
WeGIA prior to version 3.6.2 contains an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to craft malicious links redirecting users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability, which affects all users who click attacker-controlled links within the application. The vulnerability is resolved in version 3.6.2.
Stored XSS in WeGIA before version 3.6.2 allows authenticated users to inject malicious scripts into adopter information fields that execute in the browsers of all visitors to the affected pages. Public exploit code exists for this vulnerability, which impacts the html/pet/adotantes/cadastro_adotante.php and informacao_adotantes.php endpoints. Organizations should upgrade to version 3.6.2 or later to mitigate the risk of persistent JavaScript injection attacks.
Stored XSS in WeGIA's attendance incident form allows authenticated attackers to inject malicious scripts through unsanitized dropdown fields, affecting versions prior to 3.6.2. An attacker with login credentials can craft payloads that execute in other users' browsers when they view the affected page. Public exploit code exists for this vulnerability, and a patch is available in version 3.6.2 and later.
SQL injection in WeGIA's Atendido_ocorrenciaControle endpoint allows authenticated attackers to manipulate the id_memorando parameter and extract entire databases, exposing sensitive personal information and potentially reading arbitrary files on misconfigured systems. Public exploit code exists for this vulnerability affecting WeGIA versions prior to 3.6.2. A patch is available in version 3.6.2 and should be deployed immediately to affected charitable institution management systems.
WeGIA web manager for charitable institutions has a reflected XSS vulnerability prior to version 3.6.2 that enables account takeover through crafted malicious links.
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0.
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain an Open Redirect vulnerability, identified in the control.php endpoint, specifically in the nextPage parameter (metodo=listarUmnomeClasse=FuncionarioControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This issue is fixed in version 3.5.0.
Second SQL injection in WeGIA 3.4.12. PoC and patch available.
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Cross-Site Request Forgery (CSRF) vulnerability. The delete operation for the Almoxarifado entity is exposed via HTTP GET without CSRF protection, allowing a third-party site to trigger the action using the victim’s authenticated session. This issue is fixed in version 3.5.0.
SQL injection in WeGIA 3.4.12 and below. PoC and patch available.
WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the editar_permissoes.php endpoint of the WeGIA application prior to version 3.4.4. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. Version 3.4.4 fixes the issue.
WeGIA versions prior to 3.4.5 contain a SQL Injection vulnerability in the member deletion endpoint that allows authenticated users to execute arbitrary SQL commands via the `id_socio` parameter. This high-severity vulnerability (CVSS 8.8) compromises the confidentiality, integrity, and availability of the entire database. The vulnerability requires valid credentials to exploit but offers complete database compromise once authenticated.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `relatorio_geracao.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `tipo_relatorio` parameter. Version 3.4.5 has a patch for the issue.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Open Redirect vulnerability exists in the web application prior to version 3.4.5. The control.php endpoint allows to specify an arbitrary URL via the `nextPage` parameter, leading to an uncontrolled redirection. Version 3.4.5 contains a fix for the issue.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `index.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `erro` parameter. Version 3.4.5 contains a patch for the issue.
WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the fid parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0.
WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the errorstr parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0.
WeGIA is a web manager for charitable institutions. An SQL Injection vulnerability was identified in the /html/funcionario/profile_funcionario.php endpoint. The id_funcionario parameter is not properly sanitized or validated before being used in a SQL query, allowing an unauthenticated attacker to inject arbitrary SQL commands. The vulnerability is fixed in 3.4.3.
WeGIA is a web manager for charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in the almox parameter of the /controle/relatorio_geracao.php endpoint. This issue allows attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. This vulnerability is fixed in 3.4.1.
WeGIA is a web manager for charitable institutions. An XSS Injection vulnerability was identified in novo_memorando.php. After the memo was submitted, the vulnerability was confirmed by accessing listar_memorandos_antigos.php. Upon loading this page, the injected script was executed in the browser. This vulnerability is fixed in 3.4.3.
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the profile_familiar.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_dependente parameter. This vulnerability is fixed in 3.4.3.
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cadastro_dependente_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_funcionario parameter. This vulnerability is fixed in 3.4.3.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in version 3.3.3 the almox parameter of the `/controle/getProdutosPorAlmox.php` endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. Version 3.4.0 fixes the issue.
Critical SQL Injection vulnerability in WeGIA (a web-based management system for charitable institutions) affecting the 'id' parameter of the /WeGIA/controle/control.php endpoint in versions prior to 3.4.2. This unauthenticated, network-accessible vulnerability enables attackers to execute arbitrary SQL queries without privileges or user interaction, resulting in complete compromise of database confidentiality, integrity, and availability. The CVSS 9.8 score reflects the severe impact potential; however, KEV status, EPSS probability, and public POC availability could not be confirmed from provided data and should be verified through CISA and exploit databases.
Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prior to 3.4.2, affecting the /html/configuracao/debug_info.php endpoint. An unauthenticated attacker can inject arbitrary operating system commands via the unsanitized 'branch' parameter, achieving remote code execution (RCE) with www-data user privileges. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this represents an immediate and severe threat to all unpatched WeGIA deployments.
WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_tipo_docs_atendido.php` endpoint in versions of the WeGIA. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WeGIA is a Web Manager for Institutions with a focus on Portuguese language. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Information disclosure in WeGIA versions prior to 3.6.10 allows authenticated remote attackers to obtain sensitive technical details through overly descriptive error messages in the file upload endpoint (funcionario/docdependente_upload.php), expanding the attack surface for subsequent exploitation attempts.
SQL injection in WeGIA before 3.6.6.
WeGIA is a web manager for charitable institutions. versions up to 3.6.6 is affected by sql injection (CVSS 8.8).
WeGIA 3.6.5 allows unauthenticated remote attackers to read arbitrary files on the server through symlink traversal in backup database extraction functionality. When processing tar.gz archives, the application fails to validate whether extracted members are symbolic links before reading their contents, enabling an attacker to access sensitive files like database credentials or configuration data. No patch is currently available for this vulnerability.
Authentication bypass via unsafe extract() function in WeGIA before 3.6.5. The extract() call on user-controlled data allows overwriting authentication variables. EPSS 0.7% with PoC available.
Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.
Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.php script lacks authentication, allowing unauthorized access. PoC available.
WeGIA prior to version 3.6.2 lacks framing protection headers (X-Frame-Options and Content-Security-Policy), allowing attackers to perform clickjacking attacks by embedding the application within malicious web pages to trick users into unintended actions. Public exploit code exists for this vulnerability, affecting charitable institutions using vulnerable versions of the web manager.
WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability. The flaw is resolved in version 3.6.2 and later.
WeGIA charitable institution management software versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks while maintaining the appearance of a trusted WeGIA domain. The vulnerability is resolved in WeGIA 3.6.2 and later versions.
WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to properly validate the nextPage parameter, allowing attackers to redirect authenticated users to malicious external sites. Public exploit code exists for this vulnerability, enabling attackers to conduct phishing campaigns and credential harvesting attacks while leveraging the trust associated with the legitimate WeGIA domain. Update to version 3.6.2 or later to remediate this issue.
WeGIA versions prior to 3.6.2 contain an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing unauthenticated attackers to redirect users to arbitrary external websites. Public exploit code exists for this vulnerability, which can be leveraged for phishing, credential harvesting, and malware distribution attacks that abuse the trusted WeGIA domain. The vulnerability is resolved in version 3.6.2.
WeGIA prior to version 3.6.2 contains an open redirect vulnerability in the control.php endpoint that fails to validate the nextPage parameter, allowing attackers to craft malicious links redirecting users to arbitrary external sites for phishing and credential theft. Public exploit code exists for this vulnerability, which affects all users who click attacker-controlled links within the application. The vulnerability is resolved in version 3.6.2.
Stored XSS in WeGIA before version 3.6.2 allows authenticated users to inject malicious scripts into adopter information fields that execute in the browsers of all visitors to the affected pages. Public exploit code exists for this vulnerability, which impacts the html/pet/adotantes/cadastro_adotante.php and informacao_adotantes.php endpoints. Organizations should upgrade to version 3.6.2 or later to mitigate the risk of persistent JavaScript injection attacks.
Stored XSS in WeGIA's attendance incident form allows authenticated attackers to inject malicious scripts through unsanitized dropdown fields, affecting versions prior to 3.6.2. An attacker with login credentials can craft payloads that execute in other users' browsers when they view the affected page. Public exploit code exists for this vulnerability, and a patch is available in version 3.6.2 and later.
SQL injection in WeGIA's Atendido_ocorrenciaControle endpoint allows authenticated attackers to manipulate the id_memorando parameter and extract entire databases, exposing sensitive personal information and potentially reading arbitrary files on misconfigured systems. Public exploit code exists for this vulnerability affecting WeGIA versions prior to 3.6.2. A patch is available in version 3.6.2 and should be deployed immediately to affected charitable institution management systems.
WeGIA web manager for charitable institutions has a reflected XSS vulnerability prior to version 3.6.2 that enables account takeover through crafted malicious links.
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0.
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain an Open Redirect vulnerability, identified in the control.php endpoint, specifically in the nextPage parameter (metodo=listarUmnomeClasse=FuncionarioControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This issue is fixed in version 3.5.0.
Second SQL injection in WeGIA 3.4.12. PoC and patch available.
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Cross-Site Request Forgery (CSRF) vulnerability. The delete operation for the Almoxarifado entity is exposed via HTTP GET without CSRF protection, allowing a third-party site to trigger the action using the victim’s authenticated session. This issue is fixed in version 3.5.0.
SQL injection in WeGIA 3.4.12 and below. PoC and patch available.
WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the editar_permissoes.php endpoint of the WeGIA application prior to version 3.4.4. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. Version 3.4.4 fixes the issue.
WeGIA versions prior to 3.4.5 contain a SQL Injection vulnerability in the member deletion endpoint that allows authenticated users to execute arbitrary SQL commands via the `id_socio` parameter. This high-severity vulnerability (CVSS 8.8) compromises the confidentiality, integrity, and availability of the entire database. The vulnerability requires valid credentials to exploit but offers complete database compromise once authenticated.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `relatorio_geracao.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `tipo_relatorio` parameter. Version 3.4.5 has a patch for the issue.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Open Redirect vulnerability exists in the web application prior to version 3.4.5. The control.php endpoint allows to specify an arbitrary URL via the `nextPage` parameter, leading to an uncontrolled redirection. Version 3.4.5 contains a fix for the issue.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `index.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `erro` parameter. Version 3.4.5 contains a patch for the issue.
WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the fid parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0.
WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the errorstr parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0.
WeGIA is a web manager for charitable institutions. An SQL Injection vulnerability was identified in the /html/funcionario/profile_funcionario.php endpoint. The id_funcionario parameter is not properly sanitized or validated before being used in a SQL query, allowing an unauthenticated attacker to inject arbitrary SQL commands. The vulnerability is fixed in 3.4.3.
WeGIA is a web manager for charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in the almox parameter of the /controle/relatorio_geracao.php endpoint. This issue allows attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. This vulnerability is fixed in 3.4.1.
WeGIA is a web manager for charitable institutions. An XSS Injection vulnerability was identified in novo_memorando.php. After the memo was submitted, the vulnerability was confirmed by accessing listar_memorandos_antigos.php. Upon loading this page, the injected script was executed in the browser. This vulnerability is fixed in 3.4.3.
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the profile_familiar.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_dependente parameter. This vulnerability is fixed in 3.4.3.
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cadastro_dependente_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_funcionario parameter. This vulnerability is fixed in 3.4.3.
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in version 3.3.3 the almox parameter of the `/controle/getProdutosPorAlmox.php` endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. Version 3.4.0 fixes the issue.
Critical SQL Injection vulnerability in WeGIA (a web-based management system for charitable institutions) affecting the 'id' parameter of the /WeGIA/controle/control.php endpoint in versions prior to 3.4.2. This unauthenticated, network-accessible vulnerability enables attackers to execute arbitrary SQL queries without privileges or user interaction, resulting in complete compromise of database confidentiality, integrity, and availability. The CVSS 9.8 score reflects the severe impact potential; however, KEV status, EPSS probability, and public POC availability could not be confirmed from provided data and should be verified through CISA and exploit databases.
Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prior to 3.4.2, affecting the /html/configuracao/debug_info.php endpoint. An unauthenticated attacker can inject arbitrary operating system commands via the unsanitized 'branch' parameter, achieving remote code execution (RCE) with www-data user privileges. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this represents an immediate and severe threat to all unpatched WeGIA deployments.
WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_tipo_docs_atendido.php` endpoint in versions of the WeGIA. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WeGIA is a Web Manager for Institutions with a focus on Portuguese language. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web Manager for Charitable Institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.