WeGIA, a web manager for charitable institutions, has an open‑redirect flaw in versions prior to 3.6.9 that occurs in the /WeGIA/controle/control.php endpoint. By providing a crafted nextPage value in a request that also uses metodo=listarId and nomeClasse=IsaidaControle, an attacker can force a user’s browser to navigate to an arbitrary external site. The ability to redirect users through a trusted domain can be leveraged for phishing, credential harvesting, malware delivery, and other social‑engineering attacks. This vulnerability does not allow direct code execution but undermines user trust and confidentiality of information disclosed during interactions with the redirected site.

Any deployment of WeGIA from LabRedesCefetRJ running a version older than 3.6.9 is affected. The vulnerability has been fixed in version 3.6.9 and later.

The CVSS v3.1 score of 5.1 indicates moderate severity. Because the redirection can be forced through a simple HTTP GET, exploitation is trivial if a victim follows a malicious link. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation is not yet documented. Nonetheless, the use of a trusted domain increases the likelihood that users will comply with the redirect, making the threat more consequential in targeted phishing campaigns.