CVE-2025-23220

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-23220
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_raca.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw. This vulnerability is fixed in 3.2.10.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/LabRedesCefetRJ/WeGIA/commit/1739e1589948a207b8a82b9bfe078cb826d420de Patch
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-425j-h4cf-g52j Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
History

28 Feb 2025, 19:18

Type Values Removed Values Added
CPE cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*
First Time Wegia wegia
Wegia
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
References () https://github.com/LabRedesCefetRJ/WeGIA/commit/1739e1589948a207b8a82b9bfe078cb826d420de - () https://github.com/LabRedesCefetRJ/WeGIA/commit/1739e1589948a207b8a82b9bfe078cb826d420de - Patch
References () https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-425j-h4cf-g52j - () https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-425j-h4cf-g52j - Exploit, Vendor Advisory

18 Feb 2025, 21:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : unknown

21 Jan 2025, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
Summary
  • (es) WeGIA es un gestor web de código abierto centrado en el idioma portugués y en instituciones benéficas. Se identificó una vulnerabilidad de inyección SQL en la aplicación WeGIA, concretamente en el archivo endpoint adicionar_raca.php. Esta vulnerabilidad permite a los atacantes ejecutar comandos SQL arbitrarios en la base de datos, lo que permite el acceso no autorizado a información sensible. Durante la explotación, fue posible realizar un volcado completo de la base de datos de la aplicación, lo que pone de relieve la gravedad de la falla. Esta vulnerabilidad se ha corregido en la versión 3.2.10.

20 Jan 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-20 16:15

Updated : 2025-02-28 19:18

NVD link : CVE-2025-23220

Mitre link : CVE-2025-23220

CVE.ORG link : CVE-2025-23220

JSON object : View

Products Affected

wegia

  • wegia
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')