CVE-2025-24958

CVE-2025-24958 is a SQL injection vulnerability in the WeGIA application, a web manager for charitable institutions. The flaw resides in the `salvar_tag.php` endpoint, where insufficient input validation allows arbitrary SQL query execution. It affects WeGIA versions prior to 3.2.12 and is classified under CWE-89 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An authorized attacker with low-privilege access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. Successful exploitation enables execution of arbitrary SQL queries, potentially granting access to or deletion of sensitive information stored in the database.

The GitHub Security Advisory (GHSA-2mhx-5998-46hx) confirms the issue has been fixed in WeGIA version 3.2.12, urging all users to upgrade immediately. No workarounds are available.