CVE-2025-30361
Published: 27 March 2025
Description
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Security Summary
CVE-2025-30361 is a critical authentication bypass vulnerability affecting WeGIA, an open-source web manager for charitable institutions, in versions prior to 3.2.6. The flaw resides in the control.php endpoint, where it is possible to change any user's password without verifying the old password. This improper authentication mechanism, mapped to CWE-287, enables attackers to circumvent both authentication and authorization controls. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
Any unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted requests to the control.php endpoint, they can reset the password of arbitrary users, including administrative accounts, granting full unauthorized access to the application and potentially the underlying systems or data.
The GitHub security advisory (GHSA-m6qw-r3m9-jf7h) confirms that WeGIA version 3.2.6 addresses and fixes this issue, recommending immediate upgrades for affected installations. No additional workarounds are specified in the available references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authentication bypass in public-facing web app (control.php) directly enables T1190 for initial access via crafted requests and T1098 for unauthorized account manipulation (password changes without verification).