CVE-2025-26616
Published: 18 February 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2025-26616 is a path traversal vulnerability in the WeGIA open-source web manager application, primarily targeted at Portuguese-language institutional users. The flaw resides in the `exportar_dump.php` endpoint, which allows attackers to traverse directories and access sensitive files outside the intended path. Specifically, it enables unauthorized retrieval of `config.php`, a configuration file containing database credentials and other sensitive information that could facilitate direct database access. The vulnerability is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-284 (Improper Access Control), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious requests to the `exportar_dump.php` endpoint, they can read the contents of `config.php`, exposing database connection details. This confidentiality impact could enable subsequent attacks, such as unauthorized data extraction or manipulation from the underlying database, depending on the exposed credentials' privileges.
The GitHub Security Advisory (GHSA-xxqg-p22h-3f32) confirms the issue has been patched in WeGIA version 3.2.14, urging all users to upgrade immediately. No workarounds are available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing web app directly enables T1190 for remote unauthenticated exploitation; exposure of database credentials in config.php facilitates T1552.001 for unsecured credential access from files.