CVE-2025-55167 in WeGIA
Summary
by MITRE • 08/12/2025
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_remover.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This issue has been patched in version 3.4.8.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/18/2025
The WeGIA web management system represents a specialized platform designed for Portuguese-speaking charitable organizations, offering administrative capabilities for managing institutional data and personnel records. This open source solution has gained adoption among non-profit entities seeking localized web management tools. The system's architecture includes various endpoints for handling employee dependencies and related administrative functions, with the /html/funcionario/dependente_remover.php component specifically responsible for removing dependent records from the database. The vulnerability affects the system's data handling mechanisms and represents a critical security weakness that directly impacts the platform's integrity.
The SQL injection vulnerability exists within the id_dependente parameter processing within the dependent removal endpoint. This flaw occurs when user input from the id_dependente parameter is directly incorporated into SQL query construction without proper sanitization or parameterization. Attackers can exploit this weakness by crafting malicious input that alters the intended SQL query structure, potentially executing unauthorized database operations. The vulnerability follows the classic SQL injection pattern where unvalidated user input becomes part of the database command execution flow, enabling attackers to manipulate database contents through crafted payloads.
The operational impact of this vulnerability extends across all three fundamental pillars of information security. Confidentiality is compromised as attackers can extract sensitive data from the database including personal information of employees and their dependents, potentially exposing private records. Integrity suffers as malicious actors can modify or delete database entries, corrupting the organizational data structure and potentially affecting financial records or personnel management. Availability is threatened through potential denial of service attacks that could lock database resources or corrupt critical system tables. The vulnerability affects the entire database ecosystem of the WeGIA platform, potentially compromising the operational integrity of charitable institutions relying on the system.
This vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws in software applications. The ATT&CK framework categorizes this issue under T1190, representing exploitation of remote services through SQL injection techniques. The vulnerability demonstrates poor input validation practices and inadequate parameterization of database queries, representing common security misconfigurations that attackers frequently target. Organizations using WeGIA systems should implement immediate remediation measures including updating to version 3.4.8, which contains proper input sanitization and parameterized query implementations. Additional defensive measures include implementing web application firewalls, conducting regular security assessments, and establishing proper database access controls to limit potential damage from similar vulnerabilities.