CVE-2025-54079
📋 TL;DR
A SQL injection vulnerability in WeGIA web management software allows authenticated attackers to execute arbitrary SQL queries through the idatendido parameter in the Profile_Atendido.php endpoint. This can lead to unauthorized access to sensitive database information. Organizations using WeGIA versions before 3.4.6 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive donor, beneficiary, and financial data, potential authentication bypass, and full system takeover.
Likely Case
Unauthorized access to sensitive personal information of beneficiaries and donors, potential data modification or deletion.
If Mitigated
Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited, though this requires authenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g4v3-j8w5-33v3
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.4.6 from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify the Profile_Atendido.php file has proper input validation.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests.
Input Validation Filter
allImplement server-side input validation to sanitize the idatendido parameter.
Modify Profile_Atendido.php to validate idatendido as integer: if(!is_numeric($_GET['idatendido'])) { die('Invalid input'); }
🧯 If You Can't Patch
- Restrict access to the vulnerable endpoint using network ACLs or authentication controls.
- Implement database-level protections: use least privilege accounts, enable query logging, and review database permissions.
🔍 How to Verify
Check if Vulnerable:
Check if your WeGIA version is below 3.4.6 and examine the Profile_Atendido.php file for lack of input validation on the idatendido parameter.Check Version:
Check the WeGIA version in the admin panel or review the software documentation files.Verify Fix Applied:
Verify the installed version is 3.4.6 or higher and test the Profile_Atendido.php endpoint with SQL injection test payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by access to Profile_Atendido.php
- HTTP requests with SQL keywords in idatendido parameter
Network Indicators:
- HTTP POST/GET requests to /html/atendido/Profile_Atendido.php containing SQL syntax
SIEM Query:
source="web_logs" AND uri="/html/atendido/Profile_Atendido.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*DELETE*")