Executive Summary

CVE-2026-33134 is an authenticated SQL Injection vulnerability in the WeGIA web manager application, specifically in the script /html/matPat/restaurar_produto.php. The vulnerability arises because the application takes the id_produto parameter directly from the GET request without any sanitization, type casting, or use of prepared statements, and inserts it directly into SQL queries.

This allows an authenticated attacker to inject arbitrary SQL commands through the id_produto parameter, potentially manipulating the database queries executed by the application.

The vulnerability can be exploited to perform time-based blind SQL injection attacks, as demonstrated by injecting commands like sleep(5) to delay server responses.

This issue affects WeGIA versions 3.6.5 and below and was fixed in version 3.6.6 by implementing prepared statements and proper input handling.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full database compromise.

• An attacker can extract sensitive data such as passwords, personally identifiable information (PII), and session data.
• An attacker can modify or delete database records, potentially causing denial of service or unauthorized administrative access.
• In some misconfigured environments, the attacker could write files to the system, enabling remote code execution (RCE).

The vulnerability has a high severity rating with a CVSS v3.1 base score of 9.3, indicating critical risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the `id_produto` GET parameter in the `/html/matPat/restaurar_produto.php` endpoint for SQL injection. A common method is to inject time-based blind SQL commands such as `sleep(5)` to observe if the server response is delayed, indicating vulnerability.'}, {'type': 'paragraph', 'content': 'For example, an authenticated user can send a request like: `/html/matPat/restaurar_produto.php?id_produto=1 OR SLEEP(5)--` and check if the response time increases significantly.'}, {'type': 'paragraph', 'content': 'This can be done using command-line tools such as curl or wget to measure response times, for example:'}, {'type': 'list_item', 'content': 'curl -w "%{time_total}\\n" -o /dev/null -s "http://target/html/matPat/restaurar_produto.php?id_produto=1"'}, {'type': 'list_item', 'content': 'curl -w "%{time_total}\\n" -o /dev/null -s "http://target/html/matPat/restaurar_produto.php?id_produto=1 OR SLEEP(5)--"'}, {'type': 'paragraph', 'content': 'If the second command shows a response time approximately 5 seconds longer than the first, it indicates the presence of the time-based blind SQL injection vulnerability.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade the WeGIA application to version 3.6.6 or later, where this vulnerability has been fixed.

Additionally, ensure that the application uses proper input validation, type casting, and parameterized SQL queries (prepared statements) to prevent SQL injection.

If upgrading immediately is not possible, restrict access to the vulnerable endpoint to trusted authenticated users only and monitor for suspicious activity.

Review and apply the security fixes from the pull request #1457, which includes removal of unsafe functions like `extract()`, adoption of PDO prepared statements, and validation of file paths to prevent related vulnerabilities.

Useful 0 Not Useful 0