GabrielPintoSouza

61 exploits Active since Dec 2024
CVE-2025-27417 WRITEUP MEDIUM WRITEUP
WeGIA < 3.2.16 - Stored Cross-Site Scripting via adicionar_status_atendido.php Status Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the adicionar_status_atendido.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the status parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.16.
CVSS 6.1
CVE-2025-27418 WRITEUP MEDIUM WRITEUP
WeGIA < 3.2.16 - Stored Cross-Site Scripting via adicionar_tipo_atendido.php tipo Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the adicionar_tipo_atendido.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the tipo parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.16.
CVSS 5.4
CVE-2025-27419 WRITEUP HIGH WRITEUP
WeGIA < 3.2.16 - Unauthenticated Denial of Service via Aggressive Spidering
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing aggressive spidering. The vulnerability is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests. This vulnerability is fixed in 3.2.16.
CVSS 7.5
CVE-2025-27420 WRITEUP MEDIUM WRITEUP
WeGIA < 3.2.16 - Stored Cross-Site Scripting via Descricao Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the atendido_parentesco_adicionar.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the descricao parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability fix in 3.2.16.
CVSS 5.4
CVE-2025-27499 WRITEUP MEDIUM WRITEUP
WeGIA < 3.2.10 - Stored Cross-Site Scripting via socio_nome Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the processa_edicao_socio.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the socio_nome parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.10.
CVSS 6.1
CVE-2025-46828 WRITEUP CRITICAL WRITEUP
WeGIA <= 3.3.0 - Unauthenticated SQL Injection via /html/socio/sistema/get_socios.php Query Parameter
WeGIA is a web manager for charitable institutions. An unauthenticated SQL Injection vulnerability was identified in versions up to and including 3.3.0 in the endpoint `/html/socio/sistema/get_socios.php`, specifically in the query parameter. This issue allows attackers to inject and execute arbitrary SQL statements against the application's underlying database. As a result, it may lead to data exfiltration, authentication bypass, or complete database compromise. Version 3.3.1 fixes the issue.
CVSS 9.8
CVE-2025-50201 WRITEUP CRITICAL WRITEUP
WeGIA < 3.4.2 - Unauthenticated OS Command Injection via Debug Info Branch Parameter
WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, an OS Command Injection vulnerability was identified in the /html/configuracao/debug_info.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server's operating system. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user (www-data). This issue has been patched in version 3.4.2.
CVSS 9.8
CVE-2025-52474 WRITEUP CRITICAL WRITEUP
WeGIA < 3.4.2 - SQL Injection via id Parameter in control.php Endpoint
WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, a SQL Injection vulnerability was identified in the id parameter of the /WeGIA/controle/control.php endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data. This issue has been patched in version 3.4.2.
CVSS 9.8
CVE-2025-53377 WRITEUP MEDIUM WRITEUP
WeGIA < 3.4.3 - Reflected Cross-Site Scripting via id_funcionario Parameter
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cadastro_dependente_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_funcionario parameter. This vulnerability is fixed in 3.4.3.
CVSS 6.1
CVE-2025-53525 WRITEUP MEDIUM WRITEUP
WeGIA < 3.4.3 - Reflected Cross-Site Scripting via id_dependente Parameter
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the profile_familiar.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_dependente parameter. This vulnerability is fixed in 3.4.3.
CVSS 6.1
CVE-2025-53526 WRITEUP MEDIUM WRITEUP
WeGIA < 3.4.3 - Stored Cross-Site Scripting via novo_memorando.php
WeGIA is a web manager for charitable institutions. An XSS Injection vulnerability was identified in novo_memorando.php. After the memo was submitted, the vulnerability was confirmed by accessing listar_memorandos_antigos.php. Upon loading this page, the injected script was executed in the browser. This vulnerability is fixed in 3.4.3.
CVSS 6.1
CVE-2025-53527 WRITEUP CRITICAL WRITEUP
WeGIA - Time-Based Blind SQL Injection via almox Parameter
WeGIA is a web manager for charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in the almox parameter of the /controle/relatorio_geracao.php endpoint. This issue allows attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. This vulnerability is fixed in 3.4.1.
CVSS 9.8
CVE-2025-53529 WRITEUP CRITICAL WRITEUP
WeGIA < 3.4.3 - Unauthenticated SQL Injection via id_funcionario Parameter
WeGIA is a web manager for charitable institutions. An SQL Injection vulnerability was identified in the /html/funcionario/profile_funcionario.php endpoint. The id_funcionario parameter is not properly sanitized or validated before being used in a SQL query, allowing an unauthenticated attacker to inject arbitrary SQL commands. The vulnerability is fixed in 3.4.3.
CVSS 9.8
CVE-2025-55167 WRITEUP CRITICAL WRITEUP
WeGIA < 3.4.8 - SQL Injection via id_dependente Parameter
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_remover.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This issue has been patched in version 3.4.8.
CVSS 9.8
CVE-2025-55169 WRITEUP MEDIUM WRITEUP
WeGIA < 3.4.8 - Path Traversal via Download Remessa Endpoint
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a path traversal vulnerability was discovered in the WeGIA application, html/socio/sistema/download_remessa.php endpoint. This vulnerability could allow an attacker to gain unauthorized access to local files in the server and sensitive information stored in config.php. config.php contains information that could allow direct access to the database. This issue has been patched in version 3.4.8.
CVSS 6.5
CVE-2025-55170 WRITEUP MEDIUM WRITEUP
WeGIA < 3.4.8 - Reflected Cross-Site Scripting via verificacao and redir_config Parameters
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a reflected cross-site scripting (XSS) vulnerability was identified in the /html/alterar_senha.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the verificacao and redir_config parameter. This issue has been patched in version 3.4.8.
CVSS 6.5
CVE-2025-55171 WRITEUP HIGH WRITEUP
WeGIA < 3.4.8 - Unauthenticated Arbitrary File Deletion via /html/personalizacao_remover.php
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, the application does not check authentication at endpoint /html/personalizacao_remover.php allowing anonymous attacker (without login) to delete any Image files at endpoint /html/personalizacao_remover.php by defining imagem_0 as image id to delete. This issue has been patched in version 3.4.8.
CVSS 7.5
CVE-2025-57761 WRITEUP HIGH WRITEUP
WeGIA < 3.4.10 - SQL Injection via id_funcionario Parameter
WeGIA is a Web manager for charitable institutions. Prior to 3.4.10, there is a SQL Injection vulnerability in the /html/funcionario/dependente_remover.php endpoint, specifically in the id_funcionario parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.4.10.
CVSS 8.8
CVE-2025-57762 WRITEUP MEDIUM WRITEUP
WeGIA < 3.4.7 - Stored Cross-Site Scripting via dependente_docdependente.php Nome Parameter
WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, there is a Stored Cross-Site Scripting (XSS) vulnerability in the dependente_docdependente.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the nome parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.4.7.
CVSS 6.1
CVE-2025-57764 WRITEUP MEDIUM WRITEUP
WeGIA < 3.4.7 - Reflected Cross-Site Scripting via cargos.php msg_e Parameter
WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cargos.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.4.7.
CVSS 6.5
CVE-2025-57765 WRITEUP MEDIUM WRITEUP
WeGIA < 3.4.7 - Reflected Cross-Site Scripting via msg_e Parameter
WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the pre_cadastro_adotante.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.4.7.
CVSS 6.5
CVE-2025-61603 WRITEUP CRITICAL WRITEUP
WeGIA < 3.5.0 - SQL Injection via descricao Parameter
WeGIA is a Web manager for charitable institutions. Versions 3.4.12 and below include an SQL Injection vulnerability which was identified in the /controle/control.php endpoint, specifically in the descricao parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This issue is fixed in version 3.5.0.
CVSS 9.8
CVE-2025-61604 WRITEUP HIGH WRITEUP
WeGIA < 3.5.0 - Cross-Site Request Forgery via Almoxarifado Delete Operation
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Cross-Site Request Forgery (CSRF) vulnerability. The delete operation for the Almoxarifado entity is exposed via HTTP GET without CSRF protection, allowing a third-party site to trigger the action using the victim’s authenticated session. This issue is fixed in version 3.5.0.
CVSS 7.1
CVE-2025-61605 WRITEUP CRITICAL WRITEUP
WeGIA < 3.5.0 - SQL Injection via id_pet Parameter
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain an SQL Injection vulnerability which was identified in the /pet/profile_pet.php endpoint, specifically in the id_pet parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This issue is fixed in version 3.5.0.
CVSS 9.8
CVE-2025-61606 WRITEUP MEDIUM WRITEUP
WeGIA < 3.5.0 - Open Redirect via control.php nextPage Parameter
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain an Open Redirect vulnerability, identified in the control.php endpoint, specifically in the nextPage parameter (metodo=listarUmnomeClasse=FuncionarioControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This issue is fixed in version 3.5.0.
CVSS 6.1