CVE-2025-23218
Published: 20 January 2025
Description
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_especie.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw. This vulnerability is fixed in 3.2.10.
Security Summary
CVE-2025-23218 is a SQL injection vulnerability (CWE-89) in the WeGIA open-source web management application, which targets Portuguese-language users and charitable institutions. The flaw resides in the adicionar_especie.php endpoint, enabling attackers to inject and execute arbitrary SQL commands against the application's database. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was publicly disclosed on January 20, 2025.
Remote attackers require no authentication, privileges, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants unauthorized access to sensitive information, including the ability to perform a complete database dump, potentially exposing all stored data such as user records or institutional details.
The vulnerability has been addressed in WeGIA version 3.2.10. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-xhv4-88gx-hvgh) and the fixing commit (7465f785651c0cff65059bba96b015ab54235de4).
Details
- CWE(s)