CVE-2025-30367
📋 TL;DR
A SQL injection vulnerability in WeGIA web management software allows attackers to manipulate database queries through the nextPage parameter. This enables unauthorized access to sensitive database information including table names and data. Organizations using WeGIA versions before 3.2.6 are affected.
💻 Affected Systems
- WeGIA Web Manager for Charitable Institutions
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to theft of all sensitive charitable institution data, including donor information, financial records, and personal data.
Likely Case
Extraction of sensitive database information, potential data modification, and possible authentication bypass.
If Mitigated
Limited impact with proper input validation and WAF protection, though risk remains until patched.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized; CVSS 9.8 indicates critical severity
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-7j9v-xgmm-h7wr
Restart Required: Yes
Instructions:
1. Backup current installation and database. 2. Download WeGIA version 3.2.6 from official repository. 3. Replace affected files with patched version. 4. Restart web server. 5. Verify functionality.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns in nextPage parameter
# Example ModSecurity rule: SecRule ARGS:nextPage "@detectSQLi" "id:1001,phase:2,deny,status:403"
Input Validation Filter
allImplement server-side input validation for nextPage parameter
# PHP example: if(!is_numeric($_GET['nextPage'])) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the control.php endpoint
- Deploy network segmentation and restrict access to WeGIA instance from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Test the /WeGIA/controle/control.php endpoint with SQL injection payloads in nextPage parameter (e.g., nextPage=1' OR '1'='1)Check Version:
Check WeGIA version in admin interface or review source code for version markersVerify Fix Applied:
Attempt SQL injection tests against patched version; verify parameterized queries are used📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web logs
- Multiple requests with SQL-like patterns in nextPage parameter
- Unexpected database query patterns
Network Indicators:
- HTTP requests to /WeGIA/controle/control.php with SQL injection payloads
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/WeGIA/controle/control.php" AND (param="nextPage" AND value MATCHES "[';]|UNION|SELECT|FROM|WHERE")