The WeGIA web manager contains a critical security flaw where a specific script lacks authentication checks, allowing unauthenticated attackers to perform unauthorized data injection.

The script adicionar_tipo_docs_atendido.php fails to implement central controller checks or independent authentication. This allows an unauthenticated external party to bypass permission levels and access features intended only for employees.

The ability for external parties to inject massive quantities of unauthorized data can lead to storage exhaustion and database corruption, resulting in significant system downtime. With a CVSS score of 9.8, this vulnerability represents a critical threat to data integrity and availability, potentially disrupting the core services of charitable institutions using the platform.

Immediate Action: Update the WeGIA installation to version 3.6.5 or later immediately to apply the necessary authentication and permission logic.

Proactive Monitoring: Review application storage and database logs for anomalous growth or entries created by unauthorized IP addresses, specifically targeting the adicionar_tipo_docs_atendido.php endpoint.

Compensating Controls: Restrict access to the application via IP whitelisting or implement a robust authentication proxy if an immediate update is not feasible.

Public Exploit Available: false

This vulnerability exposes the application to massive data manipulation and potential denial-of-service through storage exhaustion. Organizations must apply the version 3.6.5 update immediately to secure the application against unauthenticated external requests.