CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22596 – WeGIA has a Cross-Site Scripting (XSS) Reflected endpoint 'modulos_visiveis.php' parameter'msg_c'
https://notcve.org/view.php?id=CVE-2025-22596
10 Jan 2025 — WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the modulos_visiveis.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. This vulnerability is fixed in 3.2.8. • https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jcj3-gqj3-rrvm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22143 – WeGIA Cross-Site Scripting (XSS) Reflected endpoint 'listar_permissoes.php' parameter 'msg_e'
https://notcve.org/view.php?id=CVE-2025-22143
08 Jan 2025 — WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the listar_permissoes.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.2.8. • https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-gxh2-8jxp-m59h • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22141 – WeGIA SQL Injection (Blind Time-Based) endpoint 'verificar_recursos_cargo.php' parameter 'cargo'
https://notcve.org/view.php?id=CVE-2025-22141
08 Jan 2025 — WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /dao/verificar_recursos_cargo.php endpoint, specifically in the cargo parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8. • https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22139 – WeGIA Cross-Site Scripting (XSS) Reflected endpoint `configuracao_geral.php` parameter `msg`
https://notcve.org/view.php?id=CVE-2025-22139
08 Jan 2025 — WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the configuracao_geral.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. This vulnerability is fixed in 3.2.8. • https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22140 – WeGIA SQL Injection (Blind Time-Based) endpoint 'dependente_listar_um.php' parameter 'id_dependente'
https://notcve.org/view.php?id=CVE-2025-22140
08 Jan 2025 — WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar_um.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8. • https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22133 – WeGIA Allows Arbitrary File Upload with Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-22133
07 Jan 2025 — WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8. • https://github.com/nilsonLazarin/WeGIA/commit/a08f04de96d3caec85496d7a89a5b82d1960d9dd • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22132 – WeGIA has a Cross-Site Scripting (XSS) in File Upload Field
https://notcve.org/view.php?id=CVE-2025-22132
07 Jan 2025 — WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7. • https://github.com/nilsonLazarin/WeGIA/commit/330f641db43cfb0c8ea8bb6025cc0732de4d4d6b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •