Gabrielpintosouza

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.5 **Description** WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the `adicionar tipo docs atendido.php` script does not utilize the project’s central controller and lacks appropriate authentication and permission checks. This allows a malicious user to access features intended for employees by making requests through tools like Postman or directly via the file’s URL. The issue enables external parties to inject unauthorized data into the application server’s storage. The `adicionar tipo docs atendido.php` script is directly accessible, bypassing normal security measures. **Recommendations** Versions prior to 3.6.5: Update to version 3.6.5 or later to resolve the authentication bypass and data injection issue.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.5.0 **Description** WeGIA, a Web manager for charitable institutions, contains a SQL Injection flaw. The issue affects the `control.php` endpoint, specifically through the `id produto` parameter. Exploitation can occur via malicious commands injected into the `id produto` parameter. The issue was addressed in version 3.5.0 through the implementation of prepared statements, sanitization, and validation of the `id produto` parameter. **Recommendations** Update to version 3.5.0 or later. Apply prepared statements methods to the `id produto` parameter. Implement sanitization and validation on the `id produto` parameter.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions up to and including 3.3.0 **Description** An unauthenticated SQL Injection issue was identified in the endpoint "/html/socio/sistema/get socios.php", specifically in the query parameter. This allows attackers to inject and execute arbitrary SQL statements against the application's underlying database, potentially leading to data exfiltration, authentication bypass, or complete database compromise. **Recommendations** For versions up to and including 3.3.0, update to version 3.3.1 to fix the issue. As a temporary workaround, consider restricting access to the vulnerable endpoint "/html/socio/sistema/get socios.php" until the update is applied.