CVE-2025-53091: Unauthenticated SQL Injection Vulnerability in WeGIA Web Manager

WeGIA, an open-source web manager primarily used by Portuguese-speaking and charitable institutions, has been found vulnerable to a critical security flaw. This vulnerability could allow unauthorized access to sensitive data.

Vulnerability Details

CVE ID: CVE-2025-53091
Description: A Time-Based Blind SQL Injection vulnerability exists in WeGIA version 3.3.3, specifically affecting the almox parameter of the /controle/getProdutosPorAlmox.php endpoint. An unauthenticated attacker can inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation.
CVSS Score: 10.0 (Critical)
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS Explanation: This vulnerability has a critical CVSS score of 10.0. This indicates it is remotely exploitable (AV:N) with low complexity (AC:L) and requires no privileges (PR:N) or user interaction (UI:N). A successful exploit could result in total loss of confidentiality (VC:H), integrity (VI:H), and availability (VA:H) of the system. The subcomponents also suffers high confidentiality (SC:H), high integrity (SI:H), and high availability (SA:H) impacts.
Exploit Requirements: No authentication is required. The attacker needs to send a crafted HTTP request to the vulnerable endpoint.
Affected Vendor: WeGIA
Affected Product: WeGIA
Affected Version: 3.3.3
CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Timeline of Events

Discovered: 2025
Reported: 2025
CVE Assigned: 2025-06-27
Fixed Version: 3.4.0

Exploitability & Real-World Risk

The SQL injection vulnerability is highly exploitable because it requires no authentication. An attacker could potentially dump the entire database, modify data, or even gain control of the server depending on database configurations and permissions. Given WeGIA's use by charitable institutions, this vulnerability poses a significant risk to sensitive donor and beneficiary data.

Recommendations

Immediate Update: Upgrade WeGIA to version 3.4.0 or later. This version contains the necessary fix to address the SQL injection vulnerability.
Web Application Firewall (WAF): Consider implementing a WAF to filter out malicious SQL injection attempts.
Input Validation: Ensure all user inputs are properly validated and sanitized to prevent SQL injection attacks.
Database Permissions: Review and restrict database permissions to the least necessary privileges to limit the impact of a successful SQL injection attack.

Technical Insight

The vulnerability occurs because the application fails to properly sanitize user-supplied input (the almox parameter) before using it in an SQL query. This allows an attacker to inject malicious SQL code that is then executed by the database, leading to unauthorized data access or modification.

Credit to Researcher(s)

This vulnerability was reported via GitHub Security Advisory.

References

GitHub Security Advisory GHSA-pmf9-2rc3-vvxx

CVE-2025-53091: Unauthenticated SQL Injection Vulnerability in WeGIA Web Manager

CVE-2025-53091: Unauthenticated SQL Injection Vulnerability in WeGIA Web Manager

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form