CVE-2025-24020

WeGIA is a Web manager for charitable institutions. An Open Redirect vulnerability was identified in the `control.php` endpoint of versions up to and including 3.2.10 of the WeGIA application. The vulnerability allows the `nextPage` parameter to be manipulated, redirecting authenticated users to arbitrary external URLs without validation. The issue stems from the lack of validation for the `nextPage` parameter, which accepts external URLs as redirection destinations. This vulnerability can be exploited to perform phishing attacks or redirect users to malicious websites. Version 3.2.11 contains a fix for the issue.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/commit/89d98bf074cebf6c4ed95fca6f64e325c0b1d2f0	Patch
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/v3.2.11	Release Notes
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-27g8-5q48-xmw6	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

History

13 Feb 2025, 19:01

Type	Values Removed	Values Added
Summary		(es) WeGIA es un gestor web para instituciones benéficas. Se ha identificado una vulnerabilidad de Open Redirect en el `control.php` endpoint de las versiones hasta incluida 3.2.10 de la aplicación WeGIA. La vulnerabilidad permite manipular el parámetro `nextPage`, redirigiendo a los usuarios autenticados a URL externas arbitrarias sin validación. El problema surge de la falta de validación del parámetro `nextPage`, que acepta URL externas como destinos de redirección. Esta vulnerabilidad puede explotarse para realizar ataques de phishing o redirigir a los usuarios a sitios web maliciosos. La versión 3.2.11 contiene una solución para el problema.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:wegia:wegia::::::::
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/commit/89d98bf074cebf6c4ed95fca6f64e325c0b1d2f0 -~~	() https://github.com/LabRedesCefetRJ/WeGIA/commit/89d98bf074cebf6c4ed95fca6f64e325c0b1d2f0 - Patch
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/v3.2.11 -~~	() https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/v3.2.11 - Release Notes
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-27g8-5q48-xmw6 -~~	() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-27g8-5q48-xmw6 - Exploit, Vendor Advisory
First Time		Wegia wegia Wegia

21 Jan 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-21 18:15

Updated : 2025-02-13 19:01

NVD link : CVE-2025-24020

Mitre link : CVE-2025-24020

CVE.ORG link : CVE-2025-24020

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

6.1 /10