CVE-2025-24905
Published: 03 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24905 is a SQL injection vulnerability in the WeGIA application, a web manager for charitable institutions. The flaw resides in the `get_codigobarras_cobranca.php` endpoint, where insufficient input validation allows arbitrary SQL query execution. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89. The vulnerability affects WeGIA versions prior to 3.2.12.
An authorized attacker can exploit this vulnerability remotely with low complexity, requiring no privileges, user interaction, or special conditions. Successful exploitation enables execution of arbitrary SQL queries, potentially granting access to or deletion of sensitive information in the database.
The issue has been addressed in WeGIA version 3.2.12, and all users are advised to upgrade immediately. No workarounds are known. Additional details are available in the GitHub Security Advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qjc6-5qv6-fr8m.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the publicly accessible WeGIA web application endpoint directly enables remote exploitation of a public-facing application without authentication, matching T1190.