GabrielPintoSouza

61 exploits Active since Dec 2024
CVE-2025-61665 WRITEUP HIGH WRITEUP
WeGIA < 3.5.0 - Unauthenticated Sensitive Information Exposure via get_relatorios_socios.php Endpoint
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0.
CVSS 7.5
CVE-2025-62177 WRITEUP HIGH WRITEUP
WeGIA < 3.5.1 - SQL Injection via id_funcionario Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar.php endpoint, specifically in the id_funcionario parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
CVSS 8.8
CVE-2025-62178 WRITEUP LOW WRITEUP
WeGIA < 3.5.1 - Reflected Cross-Site Scripting via idatendido Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /html/atendido/cadastro_atendido_parentesco_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the idatendido parameter. This vulnerability is fixed in 3.5.1.
CVSS 3.5
CVE-2025-62179 WRITEUP HIGH WRITEUP
WeGIA < 3.5.1 - SQL Injection via CPF Parameter in Funcionario Endpoint
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/cadastro_funcionario_pessoa_existente.php endpoint, specifically in the cpf parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
CVSS 8.8
CVE-2025-62358 WRITEUP MEDIUM WRITEUP
WeGIA < 3.5.1 - Reflected Cross-Site Scripting via Log Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, the log parameter in configuracao_geral.php is vulnerable to Reflected Cross-Site Scripting (XSS). An attacker can inject arbitrary JavaScript, which executes in the victim’s browser. This vulnerability is fixed in 3.5.1.
CVSS 5.4
CVE-2025-62359 WRITEUP MEDIUM WRITEUP
WeGIA >=3.4.11 <3.5.0 - Reflected Cross-Site Scripting via id_pet Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /pet/profile_pet.php?id_pet= endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_pet parameter. This vulnerability is fixed in 3.5.0.
CVSS 6.1
CVE-2025-62360 WRITEUP HIGH WRITEUP
WeGIA < 3.5.1 - SQL Injection via id_dependente Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users.Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_documento.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
CVSS 8.8
CVE-2025-62361 WRITEUP MEDIUM WRITEUP
WeGIA < 3.5.0 - Open Redirect via control.php nextPage Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, an Open Redirect vulnerability was identified in the control.php endpoint of the WeGIA application, specifically in the nextPage parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This vulnerability is fixed in 3.5.0.
CVSS 6.1
CVE-2025-62597 WRITEUP MEDIUM WRITEUP
WeGIA < 3.5.1 - Reflected Cross-Site Scripting via editar_info_pessoal.php sql Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to version 3.5.1, a reflected cross-site scripting (XSS) vulnerability was identified in the editar_info_pessoal.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the sql parameter. The vulnerable endpoint is GET /WeGIA/html/pessoa/editar_info_pessoal.php?sql=1. This issue has been patched in version 3.5.1.
CVSS 6.1
CVE-2025-67496 WRITEUP MEDIUM WRITEUP
WeGIA < 3.5.5 - Stored Cross-Site Scripting in Employee Selection Dropdown
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML <option> elements without proper escaping. This issue is fixed in version 3.5.5.
CVSS 4.3
CVE-2025-67501 WRITEUP HIGH WRITEUP
WeGIA < 3.5.5 - SQL Injection via id_categoria Parameter
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain an SQL Injection vulnerability in the /html/matPat/editar_categoria.php endpoint. The application fails to properly validate and sanitize user inputs in the id_categoria parameter, which allows attackers to inject malicious SQL payloads for direct execution. This issue is fixed in version 3.5.5.
CVSS 8.8