Rafaelcorvino1

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.4 Description: WeGIA is an open source web manager designed for the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the `/editar permissoes.php` API endpoint. Attackers can inject malicious scripts through the `msg c` parameter. Recommendations: Update to version 3.4.4 or later. As a temporary workaround, avoid using the `msg c` parameter in the `/editar permissoes.php` endpoint.

Name of the Vulnerable Software and Affected Versions: Indico versions 2.2 through 3.3.7 Description: Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. An endpoint used to display details of users listed in certain fields could be misused to dump basic user details (such as name, affiliation, and email) in bulk. Recommendations: Upgrade to version 3.3.7 or later. Consider restricting user search to managers. Restrict access to the affected endpoints in the webserver configuration.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.4.5 **Description** WeGIA is an open source web manager. A Stored Cross-Site Scripting (XSS) vulnerability exists in the `adicionar cor.php` endpoint, allowing attackers to inject malicious scripts into the `cor` parameter. These scripts are stored on the server and executed when the `cadastro pet.php` page is accessed by users. **Recommendations** Update to version 3.4.5 or later.

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.3.0 Description: The WeGIA server has a vulnerability that allows excessively long HTTP GET requests to a specific URL, resulting from the lack of validation for the length of the `errorstr` parameter. This issue leads to high resource consumption, elevated latency, timeouts, and read errors, making the server susceptible to Denial of Service (DoS) attacks. Recommendations: For versions prior to 3.3.0, update to version 3.3.0 to resolve the issue. As a temporary workaround, consider restricting the length of HTTP GET requests to prevent excessive resource consumption.

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.3.0 Description: The WeGIA server has a vulnerability that allows excessively long HTTP GET requests to a specific URL, resulting from the lack of validation for the length of the `fid` parameter. This issue can cause high resource consumption, elevated latency, timeouts, and read errors, making the server susceptible to Denial of Service (DoS) attacks. Recommendations: For versions prior to 3.3.0, update to version 3.3.0 to fix the vulnerability and prevent DoS attacks. As a temporary workaround, consider restricting the length of the `fid` parameter in HTTP GET requests to prevent excessive resource consumption.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.2.16 **Description** A Denial of Service (DoS) issue exists, allowing any unauthenticated user to cause the server to become unresponsive by performing aggressive spidering. This is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests. **Recommendations** For versions prior to 3.2.16, update to version 3.2.16 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions up to and including 3.2.10 **Description** WeGIA is a Web manager for charitable institutions. An Open Redirect issue was identified in the `control.php` endpoint, allowing the `nextPage` parameter to be manipulated and redirecting authenticated users to arbitrary external URLs without validation. This issue stems from the lack of validation for the `nextPage` parameter, which accepts external URLs as redirection destinations. The issue can be exploited to perform phishing attacks or redirect users to malicious websites. **Recommendations** For versions up to and including 3.2.10, update to version 3.2.11 to resolve the issue. As a temporary workaround, consider restricting access to the `control.php` endpoint or validating the `nextPage` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.2.6 **Description** A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `dependente parentesco adicionar.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the `descricao` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. The application fails to properly validate and sanitize user inputs in the `dependente parentesco adicionar.php` parameter. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system. **Recommendations** For WeGIA versions prior to 3.2.6, upgrade to version 3.2.6 to address the Stored Cross-Site Scripting (XSS) vulnerability. As a temporary workaround, consider restricting access to the `dependente parentesco adicionar.php` endpoint until the upgrade is applied. Additionally, avoid using the `descricao` parameter in the affected endpoint until the issue is resolved.