CVE-2026-23723
📋 TL;DR
An authenticated SQL injection vulnerability in WeGIA's Atendido_ocorrenciaControle endpoint allows attackers to extract sensitive data from the database. This affects all WeGIA installations prior to version 3.6.2 where users have authenticated access to the vulnerable endpoint.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Full database exfiltration including sensitive PII, potential arbitrary file reads leading to complete system compromise, and possible remote code execution in misconfigured environments.
Likely Case
Unauthorized access to sensitive personal data stored in the database, including donor information, beneficiary records, and internal operational data.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but uses standard SQL injection techniques. The vulnerability is well-documented in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.2
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xfmp-2hf9-gfjp
Restart Required: Yes
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.6.2 from the official repository. 3. Replace the existing installation with the patched version. 4. Restart the web server service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject malicious input in the id_memorando parameter
# Add validation in the endpoint handler to ensure id_memorando contains only numeric values
WAF Rule
allDeploy web application firewall rules to block SQL injection patterns
# Configure WAF to detect and block SQL injection attempts in POST parameters
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the vulnerable endpoint
- Restrict access to the Atendido_ocorrenciaControle endpoint to only authorized administrative users
🔍 How to Verify
Check if Vulnerable:
Check if your WeGIA version is below 3.6.2 and review the endpoint code for lack of parameterized queries in id_memorando handling.Check Version:
Check the WeGIA version in the admin panel or review the application's version fileVerify Fix Applied:
Verify that version 3.6.2 is installed and test the Atendido_ocorrenciaControle endpoint with SQL injection payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from web application logs
- Multiple failed authentication attempts followed by SQL error messages
- Suspicious parameter values containing SQL keywords in access logs
Network Indicators:
- Unusual database connection patterns from web server
- Large data transfers from database to unexpected sources
SIEM Query:
source="web_logs" AND ("id_memorando" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "UPDATE" OR "--" OR "' OR"))