CVE-2025-24020
📋 TL;DR
This CVE describes an Open Redirect vulnerability in WeGIA web management software for charitable institutions. Authenticated users can be tricked into visiting malicious external websites via manipulated redirects in the control.php endpoint. All installations running WeGIA versions up to and including 3.2.10 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Users redirected to sophisticated phishing sites that steal credentials or deliver malware, potentially leading to account compromise and further system infiltration.
Likely Case
Users redirected to phishing pages attempting to steal login credentials or personal information, or to malicious sites delivering drive-by downloads.
If Mitigated
Users redirected to benign but unintended external sites, causing confusion but no direct security compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just modifying the nextPage parameter value.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.11
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-27g8-5q48-xmw6
Restart Required: No
Instructions:
1. Download WeGIA version 3.2.11 from GitHub releases. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Verify the fix by testing redirect functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to only allow relative URLs or trusted domains in the nextPage parameter
Modify control.php to validate nextPage parameter against allowed domains or relative paths only
WAF Rule
allBlock requests with external URLs in the nextPage parameter
Add WAF rule to detect and block nextPage parameter containing http://, https://, or external domains
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict redirect destinations
- Monitor logs for suspicious redirect patterns and external domain usage in nextPage parameter
🔍 How to Verify
Check if Vulnerable:
Test by accessing control.php with nextPage parameter set to external URL like https://example.com and check if redirect occursCheck Version:
Check WeGIA version in admin panel or read version file if availableVerify Fix Applied:
After patching, test same external URL redirect attempt - it should be blocked or redirected to safe default📡 Detection & Monitoring
Log Indicators:
- HTTP requests to control.php with nextPage parameter containing external domains
- Unusual redirect patterns in access logs
Network Indicators:
- Outbound connections to unexpected domains following control.php access
SIEM Query:
source="web_logs" AND uri="*control.php*" AND (param="*nextPage=http*" OR param="*nextPage=https*")