CVE-2025-23219
Published: 20 January 2025
Description
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_cor.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw. This vulnerability is fixed in 3.2.10.
Security Summary
CVE-2025-23219 is a SQL injection vulnerability (CWE-89) affecting the WeGIA open-source web manager, which is designed with a focus on the Portuguese language and charitable institutions. The flaw exists specifically in the adicionar_cor.php endpoint, enabling attackers to execute arbitrary SQL commands against the application's database.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation allows unauthorized access to sensitive information, including the ability to perform a complete dump of the application's database.
The vulnerability has been addressed in WeGIA version 3.2.10. Mitigation details and the fixing commit are available in the GitHub security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h2mg-4c7q-w69v and the commit at https://github.com/LabRedesCefetRJ/WeGIA/commit/ae9c859006143bd0087b3e6e48a0677e1fff5c7e.
Details
- CWE(s)