CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-23220: WeGIA has a SQL Injection endpoint 'adicionar_raca.php' parameter 'raca'

10.0 CVSS

Description

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_raca.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in the database, allowing unauthorized access to sensitive information. During the exploit, it was possible to perform a complete dump of the application's database, highlighting the severity of the flaw. This vulnerability is fixed in 3.2.10.

Classification

CVE ID: CVE-2025-23220

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

Affected Products

Vendor: LabRedesCefetRJ

Product: WeGIA

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.68% (scored less or equal to compared to others)

EPSS Date: 2025-02-18 (when was this score calculated)

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-425j-h4cf-g52j
https://github.com/LabRedesCefetRJ/WeGIA/commit/1739e1589948a207b8a82b9bfe078cb826d420de

Timeline

2025-01-21 00:33:23 UTC
CVE

WeGIA has a SQL Injection endpoint 'adicionar_raca.php' parameter 'raca'