Marcelomulder

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.5.0 **Description** WeGIA is a Web Manager for Institutions focused on Portuguese language users. A flaw exists that allows redirection to arbitrary external domains via the `nextPage` parameter in the ''control.php'' endpoint (metodo=listarTodos nomeClasse=AlmoxarifeControle). This can be used for phishing, distributing malicious payloads, or stealing user credentials. **Recommendations** Update to version 3.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions 3.4.12 and below **Description** WeGIA, a web manager for charitable institutions, has a Broken Access Control issue. The `get relatorios socios.php` API endpoint allows unauthenticated attackers to directly access sensitive personal and financial information of members without authentication or authorization. **Recommendations** Update to version 3.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions 3.4.12 and below **Description** WeGIA is a web manager designed for charitable institutions. An Open Redirect issue exists in the `control.php` endpoint, specifically through the `nextPage` parameter (metodo=listarUmnomeClasse=FuncionarioControle). This allows attackers to redirect users to external domains, potentially enabling phishing, malicious payload distribution, or credential theft. **Recommendations** Update to version 3.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions 3.4.12 and below **Description** WeGIA is a Web manager for charitable institutions. A SQL Injection issue exists in the `/controle/control.php` endpoint, specifically in the `descricao` parameter. This allows attackers to execute arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the database. **Recommendations** Update to version 3.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions 3.4.12 and below **Description** WeGIA is an open source web manager designed for charitable institutions. A SQL Injection issue exists in the `id pet` parameter of the '/pet/profile pet.php' API endpoint. This allows attackers to execute arbitrary SQL commands, potentially compromising the database's confidentiality, integrity, and availability. The issue allows for full database takeover with low privileges. **Recommendations** Update to version 3.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions 3.4.12 and below **Description** WeGIA, a web manager designed for charitable institutions, is susceptible to a Cross-Site Request Forgery (CSRF) issue. The deletion function for the Almoxarifado entity is accessible through an HTTP GET request lacking CSRF protection. This allows an attacker to initiate the deletion process using a victim's active session on a malicious website. **Recommendations** Update to version 3.5.0 or later.

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.7 Description: WeGIA is a Web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability exists in the `dependente docdependente.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the `nome` parameter. The injected scripts are stored on the server and executed automatically when users access the affected page. Recommendations: Update WeGIA to version 3.4.7 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.6 **Description** WeGIA is an open source web manager. A SQL Injection issue was identified that allows an attacker to manipulate SQL queries and access sensitive database information. The vulnerability exists in the `idatendido familiares` parameter of the `/html/funcionario/dependente editarInfoPessoal.php` endpoint. **Recommendations** Update to version 3.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.6 **Description** WeGIA is an open source web manager. A SQL Injection issue was identified that allows an attacker to manipulate SQL queries and access sensitive database information. The vulnerability exists in the `idatendido familiares` parameter of the `/html/funcionario/dependente editarEndereco.php` endpoint. **Recommendations** Update WeGIA to version 3.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.6 **Description** WeGIA is an open source web manager. A SQL Injection vulnerability exists in the `idatendido familiares` parameter of the `/html/funcionario/dependente editarDoc.php` endpoint. This allows manipulation of SQL queries and potential access to sensitive database information. **Recommendations** Update WeGIA to version 3.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.6 **Description** WeGIA is an open source web manager. A SQL Injection vulnerability exists in versions prior to 3.4.6. This vulnerability allows attackers to execute arbitrary SQL commands via the `/html/funcionario/profile dependente.php` endpoint through the `id dependente` parameter, potentially compromising the confidentiality, integrity, and availability of the database. **Recommendations** Update to version 3.4.6 or later. As a temporary workaround, restrict access to the `/html/funcionario/profile dependente.php` endpoint. Avoid using the `id dependente` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.5 **Description** WeGIA is an open source web manager. A SQL Injection vulnerability exists due to manipulation of SQL queries through the `id funcionario` parameter of the `/html/saude/profile paciente.php` endpoint, potentially allowing access to sensitive database information. **Recommendations** Update WeGIA to version 3.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.5 **Description** An authentication bypass issue exists in the `/dao/verificar recursos cargo.php` API endpoint of the WeGIA application. This allows unauthenticated users to access protected functionalities and retrieve sensitive information by sending crafted HTTP requests without valid session cookies or authentication tokens. **Recommendations** Update to version 3.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.5 **Description** WeGIA is an open-source web manager designed for Portuguese-language and charitable institutions. A SQL Injection issue exists in the `/controle/control.php` API endpoint, specifically through the `cargo` parameter. This allows attackers to execute arbitrary SQL commands, potentially compromising the database's confidentiality, integrity, and availability. **Recommendations** Update to WeGIA version 3.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.5 **Description** A Reflected Cross-Site Scripting (XSS) vulnerability exists in the `personalizacao selecao.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts through the `nome car` parameter. **Recommendations** Update WeGIA to version 3.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.5 **Description** WeGIA is an open source web manager. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the `personalizacao selecao.php` endpoint. This vulnerability allows attackers to inject malicious scripts in the `id` parameter. **Recommendations** Update to version 3.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.5 **Description** WeGIA is an open source web manager. A Stored Cross-Site Scripting (XSS) vulnerability exists in the `adicionar enfermidade.php` endpoint. This allows attackers to inject malicious scripts into the `nome` parameter, which are then stored on the server and executed when users access the affected page. **Recommendations** Update WeGIA to version 3.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.5 **Description** WeGIA is an open-source web manager designed for Portuguese-language use and charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability exists in the `control.php` endpoint. This allows attackers to inject malicious scripts into the `descricao emergencia` parameter. These scripts are stored on the server and executed when users access the affected page. **Recommendations** Update WeGIA to version 3.4.5 or later.

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.3 Description: A Reflected Cross-Site Scripting (XSS) issue was identified in the "cadastro dependente pessoa nova.php" endpoint of the WeGIA application. This issue allows attackers to inject malicious scripts in the `id funcionario` parameter. Recommendations: For versions prior to 3.4.3, update to version 3.4.3 to resolve the issue. As a temporary workaround, consider restricting access to the "cadastro dependente pessoa nova.php" endpoint or avoiding the use of the `id funcionario` parameter until the update is applied.

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.3 Description: A Reflected Cross-Site Scripting (XSS) issue was identified in the "profile familiar.php" endpoint of the WeGIA application. This issue allows attackers to inject malicious scripts in the `id dependente` parameter. Recommendations: For versions prior to 3.4.3, update to version 3.4.3 to resolve the issue. As a temporary workaround, consider restricting access to the "profile familiar.php" endpoint or avoiding the use of the `id dependente` parameter until the update is applied.