WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, there is a Stored Cross-Site Scripting (XSS) vulnerability in the dependente_docdependente.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the nome parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.4.7.

CVE Database V5

Detailed information about CVE-2025-57762: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA

CVE-2025-57762: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-57762: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA

A vulnerability was determined in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. Affected by this vulnerability is an unknown functionality of the file /carRental_war/druid/login.html of the component Druid. Executing manipulation can lead to hard-coded credentials. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.

CVE-2025-9310 is a medium-severity vulnerability affecting the yeqifu carRental software, specifically up to the commit identified as 3fabb7eae93d209426638863980301d6f99866b3. The vulnerability resides in an unknown functionality within the file /carRental_war/druid/login.html, part of the Druid component integrated into the product. The core issue is the presence of hard-coded credentials, which can be exploited remotely without requiring any authentication or user interaction. This means an attacker can directly access the system using these embedded credentials, potentially bypassing normal security controls. The product follows a rolling release model, so there are no fixed version numbers for affected or patched releases, complicating patch management. The CVSS 4.0 base score is 6.9, reflecting a medium severity level primarily due to the ease of remote exploitation (attack vector: network), no required privileges or user interaction, and limited impact on confidentiality (VC:L) but no impact on integrity or availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by threat actors. The lack of patch links indicates that no official fix has been released yet, so organizations using yeqifu carRental should consider this vulnerability a significant risk until mitigated. Hard-coded credentials are a critical security anti-pattern because they can be extracted by attackers, leading to unauthorized access and potential lateral movement within networks.

Detailed information about CVE-2025-9310: Hard-coded Credentials in yeqifu carRental affecting yeqifu carRental. Get real-time updates, technical details, and m

CVE-2025-9310: Hard-coded Credentials in yeqifu carRental - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-9310: Hard-coded Credentials in yeqifu carRental

A vulnerability was found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /etc_ro/shadow of the component MD5 Hash Handler. Performing manipulation results in hard-coded credentials. The attack needs to be approached locally. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made public and could be used.

CVE-2025-9309 is a vulnerability identified in the Tenda AC10 router firmware version 16.03.10.13. The flaw involves hard-coded credentials embedded within an unknown function related to the /etc_ro/shadow file, specifically within the component handling MD5 hashes. This vulnerability allows an attacker with local access to the device to potentially leverage these hard-coded credentials to gain unauthorized access or escalate privileges. The attack complexity is high, requiring local access and advanced manipulation skills, and no user interaction is needed. The exploitability is considered difficult, and while an exploit has been publicly disclosed, there are no known exploits actively used in the wild. The CVSS 4.0 base score is 2, indicating a low severity primarily due to the requirement for local access, high attack complexity, and limited impact on confidentiality, integrity, and availability. The vulnerability does not require authentication but does require local access, limiting the attack surface to individuals who can physically or logically access the device's local environment. The hard-coded credentials pose a risk of unauthorized access if an attacker can reach the device locally, potentially compromising device configuration or network security.

Detailed information about CVE-2025-9309: Hard-coded Credentials in Tenda AC10 affecting Tenda AC10. Get real-time updates, technical details, and mitigation st

CVE-2025-9309: Hard-coded Credentials in Tenda AC10 - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-9309: Hard-coded Credentials in Tenda AC10

WeGIA is a Web manager for charitable institutions. Prior to 3.4.10, there is a SQL Injection vulnerability in the /html/funcionario/dependente_remover.php endpoint, specifically in the id_funcionario parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.4.10.

CVE-2025-57761 is a critical SQL Injection vulnerability identified in the WeGIA web management system developed by LabRedesCefetRJ, specifically affecting versions prior to 3.4.10. The vulnerability exists in the /html/funcionario/dependente_remover.php endpoint within the id_funcionario parameter. SQL Injection (CWE-89) occurs when user-supplied input is improperly neutralized before being included in SQL queries, allowing attackers to manipulate the database commands executed by the application. In this case, the id_funcionario parameter does not adequately sanitize input, enabling an attacker to inject arbitrary SQL code. This can lead to unauthorized data access, data modification, or deletion, and potentially full compromise of the backend database. The CVSS 4.0 base score of 9.4 reflects the high severity, with network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), and no user interaction needed (UI:N). The vulnerability impacts confidentiality, integrity, and availability (VC:H, VI:H, VA:H), and affects a high scope (SC:H) with significant impact on security controls (SI:H) and security attributes (SA:H). Although no known exploits are currently reported in the wild, the ease of exploitation and critical impact make this a significant threat. The issue was addressed in version 3.4.10 of WeGIA, which includes proper input validation and sanitization to prevent SQL Injection attacks.

Detailed information about CVE-2025-57761: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA

CVE-2025-57761: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-57761: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA

WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, there is a Reflected Cross-Site Scripting (XSS) vulnerability in the insere_despacho.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the cpf sccs. This vulnerability is fixed in 3.4.7.

Detailed information about CVE-2025-57763: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA