CVE-2025-22141
Published: 08 January 2025
Description
WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /dao/verificar_recursos_cargo.php endpoint, specifically in the cargo parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8.
Security Summary
CVE-2025-22141 is a SQL injection vulnerability (CWE-89) affecting WeGIA, a web-based management system for charitable institutions. The issue exists in the /dao/verificar_recursos_cargo.php endpoint, where the "cargo" parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary SQL commands. This compromises the confidentiality, integrity, and availability of the underlying database. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant impact.
Exploitation requires low privileges, such as an authenticated user account, and can be performed remotely with low complexity and no user interaction. Attackers can leverage the SQL injection to extract sensitive data, alter database records, or disrupt services, potentially leading to complete database takeover depending on the backend database configuration and access controls.
The vulnerability has been addressed in WeGIA version 3.2.8. For mitigation details, including patch deployment instructions, security practitioners should consult the GitHub security advisories published by the maintainers: https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636 and https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636.
Details
- CWE(s)