CVE-2025-22141
📋 TL;DR
A SQL injection vulnerability in WeGIA's /dao/verificar_recursos_cargo.php endpoint allows attackers to execute arbitrary SQL commands through the cargo parameter. This can lead to database compromise including data theft, modification, or deletion. All WeGIA installations below version 3.2.8 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive donor/beneficiary data, administrative credential theft, and potential system takeover via subsequent attacks.
Likely Case
Data exfiltration of sensitive information from the database, including personal identifiable information and financial records.
If Mitigated
Limited impact with proper input validation and WAF rules blocking SQL injection patterns.
🎯 Exploit Status
Requires knowledge of the endpoint and parameter structure, but SQL injection techniques are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.8
Vendor Advisory: https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.8 from the official repository. 3. Replace the vulnerable file /dao/verificar_recursos_cargo.php with the patched version. 4. Verify the fix by testing the endpoint with SQL injection payloads.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize the cargo parameter before processing
Modify /dao/verificar_recursos_cargo.php to validate cargo parameter using prepared statements or parameterized queries
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns
Add WAF rule: deny requests containing SQL keywords like UNION, SELECT, INSERT, UPDATE, DELETE, DROP in cargo parameter
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the cargo parameter
- Deploy a web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Test the /dao/verificar_recursos_cargo.php endpoint with SQL injection payloads in the cargo parameter (e.g., cargo=1' OR '1'='1)Check Version:
Check WeGIA version in admin panel or review version files in installation directoryVerify Fix Applied:
Attempt SQL injection payloads against the patched endpoint and verify they are rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed requests to /dao/verificar_recursos_cargo.php with SQL keywords
Network Indicators:
- HTTP requests to /dao/verificar_recursos_cargo.php containing SQL injection patterns in parameters
SIEM Query:
source="web_logs" AND uri="/dao/verificar_recursos_cargo.php" AND (param="cargo" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|;)")