CVE-2025-62360
📋 TL;DR
A SQL injection vulnerability in WeGIA's /html/funcionario/dependente_documento.php endpoint allows attackers to execute arbitrary SQL commands via the id_dependente parameter. This can lead to data theft, data manipulation, or complete database compromise. All WeGIA installations prior to version 3.5.1 are affected.
💻 Affected Systems
- WeGIA Web Manager
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data destruction, privilege escalation, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized data access and manipulation of employee-dependent records, potentially leading to data theft or integrity issues.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database user privilege restrictions in place.
🎯 Exploit Status
SQL injection is a well-understood attack vector with many automated tools available. Requires access to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.1
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m4j6-q5m4-x24g
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.5.1 or later from the official repository. 3. Replace the vulnerable file /html/funcionario/dependente_documento.php with the patched version. 4. Verify the fix by testing the endpoint with SQL injection test payloads.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to only accept numeric values for the id_dependente parameter
Modify dependente_documento.php to include: if (!is_numeric($_GET['id_dependente'])) { die('Invalid input'); }
WAF Rule
allImplement web application firewall rules to block SQL injection patterns
Add WAF rule: SecRule ARGS:id_dependente "@detectSQLi" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in the application code
- Restrict database user permissions to minimum required privileges
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with SQL injection payloads like: /html/funcionario/dependente_documento.php?id_dependente=1' OR '1'='1Check Version:
Check WeGIA version in admin panel or review application files for version markersVerify Fix Applied:
Attempt SQL injection tests against the patched endpoint and verify they are rejected or properly handled📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed parameter validation attempts
- Suspicious parameter values containing SQL keywords
Network Indicators:
- HTTP requests to /html/funcionario/dependente_documento.php with SQL injection patterns in parameters
SIEM Query:
source="*wegia*" AND (url="*/dependente_documento.php*" AND (param="*UNION*" OR param="*SELECT*" OR param="*OR '1'='1*"))🔗 References
- https://github.com/LabRedesCefetRJ/WeGIA/commit/7abbffd3915a64b97dde01954222fc0fbd804f70
- https://github.com/LabRedesCefetRJ/WeGIA/issues/310
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m4j6-q5m4-x24g
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mwvv-q9gh-gwxm
