CVE-2025-61665 in WeGIA
Summary
by MITRE • 10/03/2025
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/07/2025
The CVE-2025-61665 vulnerability affects WeGIA version 3.4.12 and earlier, representing a critical broken access control flaw that undermines the security posture of charitable institutions relying on this open source web management platform. This vulnerability specifically targets the get_relatorios_socios.php endpoint, which serves as a gateway for accessing member-related data. The flaw allows unauthenticated attackers to directly retrieve sensitive information without proper authentication or authorization mechanisms, fundamentally compromising the system's access control model. Given that WeGIA is designed for charitable organizations, the exposure of member data poses significant risks to donor privacy and institutional security.
The technical implementation of this vulnerability stems from inadequate input validation and access control checks within the get_relatorios_socios.php endpoint. Attackers can exploit this weakness by directly accessing the endpoint without providing any authentication credentials, bypassing the intended authorization flow. This represents a classic broken access control vulnerability classified under CWE-285, which occurs when applications fail to properly enforce access restrictions on resources. The vulnerability enables unauthorized data exfiltration of personal and financial information, including member details, donation records, and potentially sensitive institutional data that should remain protected within the system.
The operational impact of this vulnerability extends beyond simple data exposure, creating potential risks for charitable organizations managing sensitive donor information. Unauthenticated access to member data could lead to identity theft, financial fraud, and reputational damage for the affected institutions. The vulnerability affects the core functionality of the platform's member management system, potentially exposing thousands of donor records to unauthorized parties. Organizations using WeGIA versions 3.4.12 and below face significant compliance risks, as the exposure of personal information violates data protection regulations and could result in regulatory penalties.
Mitigation strategies for CVE-2025-61665 require immediate action to upgrade to version 3.5.0, which contains the necessary security fixes. Organizations should also implement additional defensive measures including network segmentation, web application firewalls, and monitoring for unauthorized access attempts to the vulnerable endpoint. Security teams must conduct comprehensive audits of all endpoints within the WeGIA platform to identify similar access control weaknesses. The ATT&CK framework categorizes this vulnerability under T1078 Valid Accounts and T1566 Phishing, as attackers could leverage this flaw to establish persistent access or harvest credentials from exposed data. Regular security assessments and penetration testing should be implemented to prevent similar vulnerabilities in future versions, ensuring proper authentication mechanisms are enforced throughout the application's architecture.