A critical SQL Injection vulnerability in the WeGIA web manager allows an unauthenticated attacker to execute arbitrary SQL commands, potentially leading to a full compromise of the underlying database.**

An unauthenticated attacker can exploit an SQL Injection vulnerability in the /html/funcionario/profile_funcionario.php endpoint. The id_funcionario parameter fails to properly sanitize user-supplied input, allowing the injection of malicious SQL queries.

This vulnerability poses a critical risk to the organization. A successful exploit could allow an attacker to read, modify, or delete sensitive data from the application's database, including information related to the charitable institution's operations and personnel. With a CVSS score of 9.8 (Critical), this flaw could also be leveraged to gain administrative control over the application or the underlying server, leading to a complete system compromise.

Immediate Action: Administrators must immediately update all instances of the affected WeGIA software to the latest patched version provided by the vendor.

Proactive Monitoring: Review web server and database logs for any suspicious requests targeting the /html/funcionario/profile_funcionario.php endpoint, particularly those manipulating the id_funcionario parameter.

Compensating Controls: If patching is not immediately feasible, deploy a Web Application Firewall (WAF) with rules specifically configured to detect and block SQL Injection attack patterns.

Public Exploit Available: No

Given the critical severity (CVSS 9.8) and the potential for complete data compromise, this vulnerability requires immediate attention. We strongly urge all administrators to prioritize the deployment of the vendor-supplied update to eliminate the risk. Delaying remediation exposes the organization to significant data breach and system integrity risks.