All the vulnerabilites related to nilsonLazarin - WeGIA
cve-2025-22132
Vulnerability from cvelistv5
Published
2025-01-07 22:04
Modified
2025-01-08 15:34
Severity ?
EPSS score ?
Summary
WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-h8hr-jhcx-fcv9 | x_refsource_CONFIRM | |
| https://github.com/nilsonLazarin/WeGIA/commit/330f641db43cfb0c8ea8bb6025cc0732de4d4d6b | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | nilsonLazarin | WeGIA |
Version: < 3.2.7 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22132",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T15:34:37.463900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T15:34:50.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WeGIA",
"vendor": "nilsonLazarin",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim\u0027s browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T22:04:41.805Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-h8hr-jhcx-fcv9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-h8hr-jhcx-fcv9"
},
{
"name": "https://github.com/nilsonLazarin/WeGIA/commit/330f641db43cfb0c8ea8bb6025cc0732de4d4d6b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nilsonLazarin/WeGIA/commit/330f641db43cfb0c8ea8bb6025cc0732de4d4d6b"
}
],
"source": {
"advisory": "GHSA-h8hr-jhcx-fcv9",
"discovery": "UNKNOWN"
},
"title": "WeGIA has a Cross-Site Scripting (XSS) in File Upload Field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22132",
"datePublished": "2025-01-07T22:04:41.805Z",
"dateReserved": "2024-12-30T03:00:33.652Z",
"dateUpdated": "2025-01-08T15:34:50.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-22140
Vulnerability from cvelistv5
Published
2025-01-08 18:25
Modified
2025-01-08 19:32
Severity ?
EPSS score ?
Summary
WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar_um.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | nilsonLazarin | WeGIA |
Version: < 3.2.8 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22140",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T19:31:38.031582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T19:32:00.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WeGIA",
"vendor": "nilsonLazarin",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar_um.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T18:25:57.950Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5"
}
],
"source": {
"advisory": "GHSA-mrhp-wfp2-59h5",
"discovery": "UNKNOWN"
},
"title": "WeGIA SQL Injection (Blind Time-Based) endpoint \u0027dependente_listar_um.php\u0027 parameter \u0027id_dependente\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22140",
"datePublished": "2025-01-08T18:25:57.950Z",
"dateReserved": "2024-12-30T03:00:33.653Z",
"dateUpdated": "2025-01-08T19:32:00.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-22141
Vulnerability from cvelistv5
Published
2025-01-08 18:27
Modified
2025-01-08 19:27
Severity ?
EPSS score ?
Summary
WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /dao/verificar_recursos_cargo.php endpoint, specifically in the cargo parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | nilsonLazarin | WeGIA |
Version: < 3.2.8 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22141",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T19:27:38.676424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T19:27:47.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WeGIA",
"vendor": "nilsonLazarin",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /dao/verificar_recursos_cargo.php endpoint, specifically in the cargo parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T18:27:08.543Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636"
}
],
"source": {
"advisory": "GHSA-w7hp-2w2c-p636",
"discovery": "UNKNOWN"
},
"title": "WeGIA SQL Injection (Blind Time-Based) endpoint \u0027verificar_recursos_cargo.php\u0027 parameter \u0027cargo\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22141",
"datePublished": "2025-01-08T18:27:08.543Z",
"dateReserved": "2024-12-30T03:00:33.653Z",
"dateUpdated": "2025-01-08T19:27:47.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-22133
Vulnerability from cvelistv5
Published
2025-01-07 22:07
Modified
2025-01-08 14:52
Severity ?
EPSS score ?
Summary
WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf | x_refsource_CONFIRM | |
| https://github.com/nilsonLazarin/WeGIA/commit/a08f04de96d3caec85496d7a89a5b82d1960d9dd | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | nilsonLazarin | WeGIA |
Version: < 3.2.8 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22133",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:52:20.913964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:52:28.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WeGIA",
"vendor": "nilsonLazarin",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T22:07:13.958Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf"
},
{
"name": "https://github.com/nilsonLazarin/WeGIA/commit/a08f04de96d3caec85496d7a89a5b82d1960d9dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nilsonLazarin/WeGIA/commit/a08f04de96d3caec85496d7a89a5b82d1960d9dd"
}
],
"source": {
"advisory": "GHSA-mjgr-2jxv-v8qf",
"discovery": "UNKNOWN"
},
"title": "WeGIA Allows Arbitrary File Upload with Remote Code Execution (RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22133",
"datePublished": "2025-01-07T22:07:13.958Z",
"dateReserved": "2024-12-30T03:00:33.652Z",
"dateUpdated": "2025-01-08T14:52:28.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-22139
Vulnerability from cvelistv5
Published
2025-01-08 18:26
Modified
2025-01-08 19:29
Severity ?
EPSS score ?
Summary
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the configuracao_geral.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. This vulnerability is fixed in 3.2.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | nilsonLazarin | WeGIA |
Version: < 3.2.8 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22139",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T19:28:40.396619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T19:29:21.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WeGIA",
"vendor": "nilsonLazarin",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the configuracao_geral.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. This vulnerability is fixed in 3.2.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T18:26:04.346Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8"
}
],
"source": {
"advisory": "GHSA-xrjq-57mq-4hf8",
"discovery": "UNKNOWN"
},
"title": "WeGIA Cross-Site Scripting (XSS) Reflected endpoint `configuracao_geral.php` parameter `msg`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22139",
"datePublished": "2025-01-08T18:26:04.346Z",
"dateReserved": "2024-12-30T03:00:33.653Z",
"dateUpdated": "2025-01-08T19:29:21.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}