Description
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3.
Published: 2026-05-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WeGIA, a web manager for charitable institutions, hashes user passwords with PHP's hash() function using the SHA‑256 algorithm without a salt in html/login.php and in the password change flow. SHA‑256 is a general‑purpose hash that is fast but not designed for storing passwords; lacking a salt means identical passwords produce identical digests and the entire hash database can be broken with a single precomputed rainbow table or offline brute‑force attempt, allowing an attacker to discover blind user passwords and impersonate any account.

Affected Systems

The affected vendor is LabRedesCefetRJ, product WeGIA. Versions earlier than 3.7.3 are vulnerable; version 3.7.3 and later contain a fix that replaces the weak hashing algorithm.

Risk and Exploitability

With a CVSS score of 5.9 the severity is medium, and the EPSS score is not publicly available, so the exploitation likelihood is uncertain but potentially significant when the hash database is exposed. The vulnerability is listed as not in CISA KEV. The likely attack vector is offline: an attacker who acquires or observes the stored SHA‑256 hashes can use precomputed tables or rapid brute‑force to recover plaintext passwords. If the attacker can also gain authenticated access, they could elevate privileges or steal institutional data, but the vulnerability itself does not provide remote code execution or continuous access.

Generated by OpenCVE AI on May 27, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WeGIA 3.7.3 or later to replace the SHA‑256 hash with a secure password hashing algorithm
  • After upgrading, enforce a strong password policy, requiring length, complexity, and periodic changes
  • Reset all user passwords or re‑hash existing passwords with the new algorithm, forcing users to create new passwords or running a migration script to update stored hashes

Generated by OpenCVE AI on May 27, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Labredescefetrj
Labredescefetrj wegia
Vendors & Products Labredescefetrj
Labredescefetrj wegia

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3.
Title WeGIA: Use of Weak Password Hashing Algorithm (SHA-256, no salt) in html/login.php
Weaknesses CWE-759
CWE-916
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Labredescefetrj Wegia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:52:00.845Z

Reserved: 2026-05-08T16:58:28.896Z

Link: CVE-2026-45027

cve-icon Vulnrichment

Updated: 2026-05-27T17:51:57.249Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:40.227

Modified: 2026-06-17T10:51:37.363

Link: CVE-2026-45027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses
  • CWE-759

    Use of a One-Way Hash without a Salt

  • CWE-916

    Use of Password Hash With Insufficient Computational Effort