CVE-2025-22140
Published: 08 January 2025
Description
WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar_um.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8.
Security Summary
CVE-2025-22140 is a SQL injection vulnerability (CWE-89) affecting WeGIA, a web-based management system for charitable institutions. The issue occurs in the /html/funcionario/dependente_listar_um.php endpoint due to insufficient sanitization of the id_dependente parameter, enabling attackers to inject and execute arbitrary SQL commands against the backend database. This flaw impacts versions of WeGIA prior to 3.2.8 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with potential impacts on confidentiality, integrity, and availability.
Exploitation requires low privileges, such as those of an authenticated user (PR:L), and can be performed remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). A successful attack allows arbitrary SQL execution, enabling data exfiltration, unauthorized modifications, or disruption of database services, thereby fully compromising the targeted database.
Mitigation is available via an update to WeGIA version 3.2.8, which addresses the injection flaw. Additional details on the patch and remediation steps are provided in the GitHub security advisories at https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5 and https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5.
Details
- CWE(s)