CVE-2025-23220
Published: 20 January 2025
Description
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_raca.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw. This vulnerability is fixed in 3.2.10.
Security Summary
CVE-2025-23220 is a SQL injection vulnerability (CWE-89) affecting the WeGIA open-source web manager, an application designed with a focus on the Portuguese language for charitable institutions. The flaw is located in the adicionar_raca.php endpoint, where insufficient input validation allows attackers to inject and execute arbitrary SQL commands directly against the application's database.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no requirements for privileges or user interaction. Unauthenticated remote attackers can exploit it to execute arbitrary SQL queries, enabling unauthorized access to sensitive information, including a complete dump of the application's database.
Mitigation is available in WeGIA version 3.2.10, which addresses the issue through a patch detailed in the project's GitHub commit 1739e1589948a207b8a82b9bfe078cb826d420de. Additional guidance on the fix and remediation steps is provided in the GitHub security advisory GHSA-425j-h4cf-g52j.
Details
- CWE(s)