Authenticated attackers can execute arbitrary SQL commands to compromise the entire database of the WeGIA web manager.

This is an authenticated SQL injection vulnerability in the id_produto GET parameter of the /html/matPat/restaurar_produto.php endpoint. The application fails to sanitize or parameterize the input before using it in SQL queries, allowing an attacker to manipulate database operations.

Successful exploitation allows an attacker to read, modify, or delete any data within the database. For a charitable institution manager, this could result in the theft of sensitive donor information, financial records, and institutional data. The CVSS score of 9.3 highlights the severe risk to data integrity and confidentiality.

Immediate Action: Upgrade WeGIA to version 3.6.6 or later, which implements parameterized statements to prevent SQL injection.

Proactive Monitoring: Review database logs for unusual query patterns and audit the restaurar_produto.php access logs for suspicious characters (e.g., single quotes, semicolons) in the URL.

Compensating Controls: Implement a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious GET parameters.

Public Exploit Available: false

SQL injection remains one of the most damaging web vulnerabilities. Administrators of WeGIA should prioritize the update to version 3.6.6 immediately. Additionally, ensure that the database user for the application follows the principle of least privilege to limit the impact of any potential injection.