CVE-2025-24906
Published: 03 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24906 is a SQL injection vulnerability (CWE-89) discovered in the WeGIA application, a web manager for charitable institutions. The flaw affects the `get_detalhes_cobranca.php` endpoint and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It impacts WeGIA versions prior to 3.2.12.
An authorized attacker can exploit this vulnerability remotely over the network to execute arbitrary SQL queries, enabling access to or deletion of sensitive information. The CVSS metrics indicate low attack complexity, no required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
The vulnerability has been addressed in WeGIA version 3.2.12, with all users advised to upgrade immediately. No workarounds are known. Additional details are available in the GitHub Security Advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jpph-g9p7-9jrm.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app enables remote unauthenticated exploitation for data access/deletion, directly mapping to T1190 Exploit Public-Facing Application.