CVE-2025-30364
Published: 27 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-30364 is a SQL injection vulnerability (CWE-89) affecting WeGIA, a web-based management system for charitable institutions, in versions prior to 3.2.8. The flaw resides in the endpoint /WeGIA/html/funcionario/remuneracao.php, specifically within the id_funcionario parameter, which fails to properly sanitize user input. This allows attackers to inject and execute arbitrary SQL commands against the underlying database. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Remote attackers require no authentication, privileges, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables arbitrary SQL command execution, potentially allowing full database compromise, including data extraction, modification, deletion, or denial of service through destructive queries.
The GitHub security advisory (GHSA-x3ff-5qp7-43qv) confirms that upgrading to WeGIA version 3.2.8 resolves the issue by addressing the input validation flaw in the affected endpoint. Security practitioners should prioritize patching affected instances and review access logs for suspicious activity targeting the remuneracao.php endpoint.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web endpoint directly enables T1190 (Exploit Public-Facing Application); arbitrary SQL execution facilitates T1213.006 (Data from Information Repositories: Databases) for extraction/modification/deletion.