CVE-2025-27096

WeGIA is a Web Manager for Institutions with a focus on Portuguese language. A SQL Injection vulnerability was discovered in the WeGIA application, personalizacao_upload.php endpoint. This vulnerability allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. This issue has been addressed in version 3.2.14 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j856-wh9m-9vpm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*

History

28 Feb 2025, 19:18

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wegia:wegia::::::::
First Time		Wegia Wegia wegia
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j856-wh9m-9vpm -~~	() https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j856-wh9m-9vpm - Exploit, Vendor Advisory
Summary		(es) WeGIA es un administrador web para instituciones enfocado en el idioma portugués. Se descubrió una vulnerabilidad de inyección SQL en el endpoint personalizacao_upload.php de la aplicación WeGIA. Esta vulnerabilidad permite que un atacante autorizado ejecute consultas SQL arbitrarias, lo que permite el acceso a información confidencial. Este problema se ha solucionado en la versión 3.2.14 y se recomienda a todos los usuarios que actualicen la versión. No se conocen workarounds para esta vulnerabilidad.

20 Feb 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-20 19:15

Updated : 2025-02-28 19:18

NVD link : CVE-2025-27096

Mitre link : CVE-2025-27096

CVE.ORG link : CVE-2025-27096

JSON object : View

Products Affected

wegia

wegia

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-27096", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-20T19:15:12.157", "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j856-wh9m-9vpm", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "WeGIA is a Web Manager for Institutions with a focus on Portuguese language. A SQL Injection vulnerability was discovered in the WeGIA application, personalizacao_upload.php endpoint. This vulnerability allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. This issue has been addressed in version 3.2.14 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "WeGIA es un administrador web para instituciones enfocado en el idioma portugu\u00e9s. Se descubri\u00f3 una vulnerabilidad de inyecci\u00f3n SQL en el endpoint personalizacao_upload.php de la aplicaci\u00f3n WeGIA. Esta vulnerabilidad permite que un atacante autorizado ejecute consultas SQL arbitrarias, lo que permite el acceso a informaci\u00f3n confidencial. Este problema se ha solucionado en la versi\u00f3n 3.2.14 y se recomienda a todos los usuarios que actualicen la versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-02-28T19:18:34.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89844E59-1EDD-4F24-8959-13E7687F2B9C", "versionEndExcluding": "3.2.14"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}