Pedro-Lyrio

#10669of 53,633
25.9Total CVSS
Vulnerabilities · 3
Medium
1
Critical
2
PT-2025-28216
6.1
2025-07-07
Wegia · Wegia · CVE-2025-53526
Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.3 Description: A Cross-Site Scripting (XSS) Injection issue was found in WeGIA, a web manager for charitable institutions. The vulnerability is located in the `novo memorando.php` file. When a memo is submitted, the injected script is executed in the browser upon loading the `listar memorandos antigos.php` page. Recommendations: For versions prior to 3.4.3, update to version 3.4.3 to resolve the issue. As a temporary workaround, consider restricting access to the `novo memorando.php` and `listar memorandos antigos.php` pages until the update is applied.
PT-2025-28219
9.8
2025-07-07
Wegia · Wegia · CVE-2025-53529
Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.3 Description: A critical issue was identified in WeGIA, a web manager for charitable institutions. The `/html/funcionario/profile funcionario.php` endpoint is vulnerable due to the `id funcionario` parameter not being properly sanitized or validated before being used in a SQL query. This allows an unauthenticated attacker to inject arbitrary SQL commands. Recommendations: For versions prior to 3.4.3, update to version 3.4.3 to resolve the issue. As a temporary workaround, consider restricting access to the `/html/funcionario/profile funcionario.php` endpoint until the update is applied. Additionally, avoid using the `id funcionario` parameter in the affected endpoint until the issue is resolved.
PT-2025-26206
10
2025-06-18
Wegia · Wegia · CVE-2025-50201
**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.2 **Description** The issue is related to an OS Command Injection flaw in the "/html/configuracao/debug info.php" endpoint. The `branch` parameter is not properly sanitized before being concatenated and executed in a shell command on the server's operating system. This allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user. **Recommendations** For versions prior to 3.4.2, update to version 3.4.2 to resolve the issue. As a temporary workaround, consider restricting access to the "/html/configuracao/debug info.php" endpoint to minimize the risk of exploitation. Avoid using the `branch` parameter in the affected endpoint until the issue is resolved.