Volksec

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.2 **Description** WeGIA, a web manager for charitable institutions, is susceptible to clickjacking attacks. The application lacks defensive HTTP headers for framing protection, specifically missing the X-Frame-Options header and a Content-Security-Policy with a frame-ancestors directive. This allows an attacker to load WeGIA pages within a malicious HTML document, potentially overlaying deceptive elements or forcing unintended user interactions with sensitive workflows. **Recommendations** Update to version 3.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.2 **Description** WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) issue exists in the application due to insufficient sanitization of user-controlled data before rendering it within the “Atendido” selection dropdown. The vulnerability is located in the `html/atendido/cadastro ocorrencia.php` API endpoint. **Recommendations** Update to version 3.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.2 **Description** WeGIA is a web manager for charitable institutions. A Stored Cross-Site Scripting (XSS) issue exists in the application due to a failure to sanitize user-controlled input before rendering it. This allows for persistent JavaScript injection within the Adopters Information table. Visiting the affected page will automatically execute the injected payload. The vulnerable API endpoints are `/html/pet/adotantes/cadastro adotante.php` and `/html/pet/adotantes/informacao adotantes.php`. **Recommendations** Update to version 3.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.2 **Description** WeGIA is a web manager for charitable institutions. An Open Redirect issue exists in the `/WeGIA/controle/control.php` API endpoint, specifically through the `nextPage` parameter when used with `metodo=listarTodos` and `nomeClasse=TipoEntradaControle`. The application does not properly validate the `nextPage` parameter, which allows attackers to redirect users to arbitrary external websites. This could be used for phishing attacks, credential theft, malware distribution, and social engineering leveraging the trusted WeGIA domain. **Recommendations** Upgrade to version 3.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.2 **Description** WeGIA is a web manager for charitable institutions. An Open Redirect issue exists in the `/WeGIA/controle/control.php` API endpoint, specifically through the `nextPage` parameter when used with `metodo=listarTodos` and `nomeClasse=TipoSaidaControle`. The application does not properly validate the `nextPage` parameter, which allows attackers to redirect users to malicious websites. This could be used for phishing attacks, stealing credentials, distributing malware, and social engineering, leveraging the trust associated with the WeGIA domain. **Recommendations** Update to version 3.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.2 **Description** WeGIA is a web manager for charitable institutions. An Open Redirect issue exists in the `/WeGIA/controle/control.php` API endpoint, specifically through the `nextPage` parameter when used with `metodo=listarTodos` and `nomeClasse=DestinoControle`. The application does not properly validate or restrict the `nextPage` parameter, which allows attackers to redirect users to arbitrary external websites. This could be leveraged for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. **Recommendations** Update WeGIA to version 3.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.2 **Description** WeGIA is a web manager for charitable institutions. An Open Redirect issue exists in the `/WeGIA/controle/control.php` API endpoint, specifically through the `nextPage` parameter when used with `metodo=listarDescricao` and `nomeClasse=ProdutoControle`. The application does not properly validate the `nextPage` parameter, which allows attackers to redirect users to arbitrary external websites. This could be used for phishing attacks, credential theft, malware distribution, and social engineering leveraging the trusted WeGIA domain. **Recommendations** Update to version 3.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions prior to 3.6.2 **Description** WeGIA is a web manager for charitable institutions. An Open Redirect issue exists in the `/WeGIA/controle/control.php` endpoint, specifically through the `nextPage` parameter when used with `metodo=listarTodos` and `nomeClasse=ProdutoControle`. The application does not properly validate or restrict the `nextPage` parameter, which allows attackers to redirect users to arbitrary external websites. This could be used for phishing attacks, credential theft, malware distribution, and social engineering leveraging the trusted WeGIA domain. **Recommendations** Update to version 3.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** WeGIA versions 3.5.4 and below **Description** WeGIA, an open source Web Manager for Institutions, is affected by a Stored Cross-Site Scripting (XSS) issue. The application fails to sanitize user-controlled data before rendering it within the employee selection dropdown. Employee names are retrieved from the database and directly injected into HTML `<option>` elements without proper escaping. The vulnerability exists in the `/WeGIA/html/geral/configurar senhas.php` endpoint. **Recommendations** Update to version 3.5.5 or later.