WeGIA SQL Injection Vulnerability in adicionar_tipo_exame.php Endpoint

A SQL Injection vulnerability exists in the WeGIA application for charitable institutions, in versions prior to 3.2.15. The issue is located in the 'adicionar_tipo_exame.php' endpoint, where authorized attackers can execute arbitrary SQL queries, potentially accessing sensitive information. The vulnerability arises from inadequate input validation, allowing exploitation through crafted SQL payloads.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL queries, which could lead to unauthorized access to sensitive information, disruption of database services, or in some cases, uploading of arbitrary files.

Reproduction

To reproduce this vulnerability, send a POST request to the 'dao/pet/adicionar_tipo_exame.php' endpoint with a crafted 'tipo_exame' parameter that includes SQL injection payloads. The absence of input validation in the application allows the injected SQL to be executed, manipulating the database or extracting information.

Remediation

Users can upgrade to WeGIA version 3.2.15 or later, where this vulnerability has been patched.