CVE-2025-61665
📋 TL;DR
CVE-2025-61665 is a broken access control vulnerability in WeGIA, an open-source web manager for charitable institutions. Unauthenticated attackers can directly access the get_relatorios_socios.php endpoint to retrieve sensitive personal and financial information of members without any authentication. This affects all deployments running WeGIA versions 3.4.12 and below.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach exposing all member personal information (names, addresses, contact details) and financial data, potentially leading to identity theft, financial fraud, and regulatory penalties.
Likely Case
Unauthenticated attackers harvesting sensitive member data for malicious purposes, compromising privacy and potentially enabling targeted attacks against individuals.
If Mitigated
No data exposure if proper authentication and authorization controls are implemented at the endpoint level.
🎯 Exploit Status
Exploitation requires only direct HTTP requests to the vulnerable endpoint without any authentication. The advisory provides details about the vulnerable code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.0
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-62wp-6qmh-6p5f
Restart Required: Yes
Instructions:
1. Backup current WeGIA installation and database. 2. Download WeGIA version 3.5.0 from the official repository. 3. Replace existing files with new version files. 4. Run any database migration scripts if provided. 5. Restart web server services.
🔧 Temporary Workarounds
Block direct access to vulnerable endpoint
allConfigure web server to block or restrict access to get_relatorios_socios.php endpoint
# For Apache: Add to .htaccess
<Files "get_relatorios_socios.php">
Order Deny,Allow
Deny from all
</Files>
# For Nginx: Add to server block
location ~ /get_relatorios_socios\.php$ {
deny all;
return 403;
}
Implement authentication middleware
allAdd authentication check at the beginning of get_relatorios_socios.php file
<?php
// Add at top of get_relatorios_socios.php
session_start();
if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
http_response_code(403);
exit('Access denied');
}
?>
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to WeGIA application to authorized users only
- Deploy a web application firewall (WAF) with rules to block unauthenticated access to sensitive endpoints
🔍 How to Verify
Check if Vulnerable:
Attempt to access /get_relatorios_socios.php endpoint without authentication. If it returns member data, the system is vulnerable.Check Version:
Check WeGIA version in admin panel or examine version.php file in installation directoryVerify Fix Applied:
After patching, attempt to access /get_relatorios_socios.php endpoint without authentication. It should return an authentication error or 403 Forbidden.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /get_relatorios_socios.php from unauthenticated IPs
- Unusual access patterns to member data endpoints
Network Indicators:
- HTTP GET requests to /get_relatorios_socios.php without preceding authentication requests
- Large data transfers from WeGIA server to unfamiliar IPs
SIEM Query:
source="wegia_access.log" AND uri="/get_relatorios_socios.php" AND NOT (user_agent="*bot*" OR user_agent="*crawler*") | stats count by src_ip