CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53377 – WebGia allows Cross-Site Scripting (XSS) in cadastro_dependente_pessoa_nova.php via the id_funcionario parameter
https://notcve.org/view.php?id=CVE-2025-53377
07 Jul 2025 — WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cadastro_dependente_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_funcionario parameter. This vulnerability is fixed in 3.4.3. WeGIA es un gestor web para instituciones benéficas. • https://github.com/LabRedesCefetRJ/WeGIA/commit/8ab726c9f4d0fce7ad6c66640c3126f95f73ddd7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53091 – WeGIA has Unauthenticated Time-Based Blind SQL Injection in almox Parameter
https://notcve.org/view.php?id=CVE-2025-53091
27 Jun 2025 — WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in version 3.3.3 the almox parameter of the `/controle/getProdutosPorAlmox.php` endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. Version 3.4.0 fixes the issue. • https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pmf9-2rc3-vvxx • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6699 – LabRedesCefetRJ WeGIA Cadastro de Funcionário cadastro_funcionario.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-6699
26 Jun 2025 — A vulnerability classified as problematic has been found in LabRedesCefetRJ WeGIA 3.4.0. This affects an unknown part of the file /html/funcionario/cadastro_funcionario.php of the component Cadastro de Funcionário. The manipulation of the argument Nome/Sobrenome leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README7.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6698 – LabRedesCefetRJ WeGIA Adicionar tipo adicionar_tipoSaida.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-6698
26 Jun 2025 — A vulnerability was found in LabRedesCefetRJ WeGIA 3.4.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /html/matPat/adicionar_tipoSaida.php of the component Adicionar tipo. The manipulation of the argument Insira o novo tipo leads to cross site scripting. The attack may be launched remotely. • https://vuldb.com/?id.313964 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6697 – LabRedesCefetRJ WeGIA Adicionar tipo adicionar_tipoEntrada.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-6697
26 Jun 2025 — A vulnerability was found in LabRedesCefetRJ WeGIA 3.4.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /html/matPat/adicionar_tipoEntrada.php of the component Adicionar tipo. The manipulation of the argument Insira o novo tipo leads to cross site scripting. The attack can be launched remotely. • https://vuldb.com/?id.313963 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6696 – LabRedesCefetRJ WeGIA Cadastro de Atendio Cadastro_Atendido.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-6696
26 Jun 2025 — A vulnerability was found in LabRedesCefetRJ WeGIA 3.4.0. It has been classified as problematic. Affected is an unknown function of the file /html/atendido/Cadastro_Atendido.php of the component Cadastro de Atendio. The manipulation of the argument Nome/Sobrenome leads to cross site scripting. It is possible to launch the attack remotely. • https://vuldb.com/?id.313962 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6695 – LabRedesCefetRJ WeGIA Additional Categoria adicionar_categoria.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-6695
26 Jun 2025 — A vulnerability was found in LabRedesCefetRJ WeGIA 3.4.0 and classified as problematic. This issue affects some unknown processing of the file /html/matPat/adicionar_categoria.php of the component Additional Categoria. The manipulation of the argument Insira a nova categoria leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6694 – LabRedesCefetRJ WeGIA Adicionar Unidade adicionar_unidade.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-6694
26 Jun 2025 — A vulnerability has been found in LabRedesCefetRJ WeGIA 3.4.0 and classified as problematic. This vulnerability affects unknown code of the file /html/matPat/adicionar_unidade.php of the component Adicionar Unidade. The manipulation of the argument Insira a nova unidade leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/RaulPazemecxas/PoCVulDb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52474 – WeGIA SQL Injection Vulnerability in id Parameter on control.php Endpoint
https://notcve.org/view.php?id=CVE-2025-52474
19 Jun 2025 — WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, a SQL Injection vulnerability was identified in the id parameter of the /WeGIA/controle/control.php endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data. This issue has been patched in version 3.4.2. • https://github.com/LabRedesCefetRJ/WeGIA/commit/b6fbb3e21b8d71e50afe0395dca44acdd1ca2e29 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 40%CPEs: 1EXPL: 0CVE-2025-50201 – WeGIA OS Command Injection in debug_info.php parameter 'branch'
https://notcve.org/view.php?id=CVE-2025-50201
19 Jun 2025 — WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, an OS Command Injection vulnerability was identified in the /html/configuracao/debug_info.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server's operating system. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user (www-data). This issue has been patched in version 3.4.2. • https://github.com/LabRedesCefetRJ/WeGIA/commit/45f32ad1d52775fc99f3c90075c8136c6d4d1d3d • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •