CVE-2025-54061
📋 TL;DR
A SQL injection vulnerability in WeGIA web management software allows attackers to manipulate database queries through the idatendido_familiares parameter. This enables unauthorized access to sensitive database information including table structures and stored data. Organizations using WeGIA versions before 3.4.6 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to theft of sensitive charitable donor data, financial information, and personal records, potentially enabling further system access.
Likely Case
Extraction of database contents including user credentials, personal information, and organizational data stored in WeGIA.
If Mitigated
Limited information disclosure if proper input validation and WAF rules are in place.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited with automated tools. Exploitation requires access to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g47q-vfpj-g9mr
Restart Required: Yes
Instructions:
1. Backup current installation and database. 2. Download WeGIA version 3.4.6 from official repository. 3. Replace vulnerable files with patched version. 4. Restart web server service.
🔧 Temporary Workarounds
Input Validation Filter
allAdd parameter validation to filter SQL injection attempts
Modify /html/funcionario/dependente_editarDoc.php to validate idatendido_familiares parameter using prepared statements
Web Application Firewall Rule
allBlock SQL injection patterns targeting the vulnerable endpoint
Add WAF rule: deny requests to /html/funcionario/dependente_editarDoc.php with SQL injection patterns in parameters
🧯 If You Can't Patch
- Block external access to /html/funcionario/dependente_editarDoc.php endpoint at network level
- Implement strict input validation and parameterized queries in the application code
🔍 How to Verify
Check if Vulnerable:
Check if version is below 3.4.6 and test endpoint with SQL injection payloads in idatendido_familiares parameterCheck Version:
Check WeGIA version in admin panel or review application files for version informationVerify Fix Applied:
Confirm version is 3.4.6 or higher and test that SQL injection attempts no longer succeed📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple requests to /html/funcionario/dependente_editarDoc.php with suspicious parameters
Network Indicators:
- SQL keywords in HTTP POST parameters to vulnerable endpoint
- Unusual database query patterns from web server
SIEM Query:
source="web_server" AND uri="/html/funcionario/dependente_editarDoc.php" AND (param="idatendido_familiares" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|\*|;)")