CVE-2025-22140
📋 TL;DR
A SQL injection vulnerability in WeGIA's dependente_listar_um.php endpoint allows attackers to execute arbitrary SQL commands through the id_dependente parameter. This can lead to database compromise including data theft, modification, or deletion. All WeGIA installations below version 3.2.8 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive donor/beneficiary data, administrative account takeover, and potential server compromise via database server file system access.
Likely Case
Data exfiltration of sensitive personal information, modification of charitable records, and potential privilege escalation within the application.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, with database permissions restricted to minimum necessary privileges.
🎯 Exploit Status
Exploitation requires access to the funcionario module. SQL injection is well-understood with many available tools, but specific exploitation may require some reconnaissance.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.8
Vendor Advisory: https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mrhp-wfp2-59h5
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.8 from the official repository. 3. Replace the vulnerable file /html/funcionario/dependente_listar_um.php with the patched version. 4. Verify the fix by testing the endpoint with SQL injection test payloads.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to ensure id_dependente parameter contains only numeric values
Add to dependente_listar_um.php: if(!is_numeric($_GET['id_dependente'])) { die('Invalid input'); }
WAF Rule
allImplement web application firewall rules to block SQL injection patterns targeting the vulnerable endpoint
ModSecurity rule: SecRule ARGS:id_dependente "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"
Cloudflare WAF: Enable SQLi protection rules
🧯 If You Can't Patch
- Block external access to /html/funcionario/dependente_listar_um.php via firewall or web server configuration
- Implement database-level controls: restrict application database user permissions to SELECT only, enable database auditing
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with SQL injection payloads: /html/funcionario/dependente_listar_um.php?id_dependente=1' OR '1'='1Check Version:
Check WeGIA version in admin panel or examine version.php fileVerify Fix Applied:
Attempt SQL injection payloads against the patched endpoint and verify they are rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple rapid requests to dependente_listar_um.php with varying parameters
- Database queries containing UNION, SELECT, FROM keywords from web application
Network Indicators:
- HTTP requests to /html/funcionario/dependente_listar_um.php with SQL keywords in parameters
- Unusual database traffic patterns from web server
SIEM Query:
source="web_logs" AND uri="/html/funcionario/dependente_listar_um.php" AND (param="id_dependente" AND value MATCHES "[';]|UNION|SELECT|FROM")