CVE-2025-24958 Overview
CVE-2025-24958 is a SQL Injection vulnerability in WeGIA, an open-source web management application for charitable institutions developed by LabRedesCefetRJ. The flaw resides in the salvar_tag.php endpoint, where unsanitized user input flows into SQL queries. An authenticated attacker can inject arbitrary SQL statements to read, modify, or delete sensitive records stored by the application. The maintainers addressed the issue in WeGIA version 3.2.12, and no workarounds exist for affected deployments. The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the WeGIA database, leading to disclosure or destruction of sensitive institutional and beneficiary data.
Affected Products
- WeGIA application versions prior to 3.2.12
- Deployments exposing the salvar_tag.php endpoint to authenticated users
- Charitable institution management installations maintained by LabRedesCefetRJ
Discovery Timeline
- 2025-02-03 - CVE-2025-24958 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2025-24958
Vulnerability Analysis
The vulnerability is a server-side SQL Injection in WeGIA's salvar_tag.php endpoint. The endpoint accepts user-supplied parameters and concatenates them into SQL statements without proper parameterization or input sanitization. As a result, an authenticated user with low privileges can break out of the expected query context and append arbitrary SQL clauses.
The scope of impact extends beyond the immediate query. Successful exploitation enables data exfiltration through UNION-based or boolean-based techniques, modification of records via UPDATE or INSERT statements, and full row deletion using DELETE operations. Depending on database privileges, attackers may pivot to read system tables or write files where the database engine permits.
WeGIA stores records related to beneficiaries, donors, and internal operations of charitable institutions. Compromise of these records carries privacy and regulatory consequences, particularly under data protection regimes such as Brazil's LGPD.
Root Cause
The root cause is improper neutralization of special characters in SQL statements built from request parameters at salvar_tag.php. The endpoint does not enforce prepared statements or whitelist input, allowing meta-characters such as single quotes and statement terminators to alter query structure.
Attack Vector
The attack is remote and network-accessible. An attacker requires valid low-privileged credentials to reach the authenticated endpoint. Once authenticated, the attacker submits crafted parameter values to salvar_tag.php to manipulate the underlying SQL query. No user interaction is required beyond the attacker's own session.
The vulnerability is exploitable without specialized tooling. Standard HTTP clients and common SQL injection payloads are sufficient. See the GitHub Security Advisory GHSA-2mhx-5998-46hx for further technical detail.
Detection Methods for CVE-2025-24958
Indicators of Compromise
- HTTP POST or GET requests to salvar_tag.php containing SQL meta-characters such as ', --, ;, UNION, or SELECT
- Unexpected DELETE, UPDATE, or DROP statements appearing in database query logs originating from the WeGIA application user
- Anomalous data volume returned from the tag-management workflow to a single authenticated session
- Database errors logged by the application related to malformed SQL syntax tied to the tag endpoint
Detection Strategies
- Enable verbose query logging on the database backing WeGIA and search for statements referencing the tag tables with suspicious clauses
- Deploy a Web Application Firewall (WAF) rule set covering OWASP CRS SQLi signatures and monitor blocks against salvar_tag.php
- Correlate WeGIA application logs with database audit logs to identify authenticated sessions issuing abnormal query patterns
Monitoring Recommendations
- Alert on any HTTP request to salvar_tag.php containing reserved SQL tokens in parameter values
- Track outbound response sizes from the WeGIA application for the tag endpoint to surface bulk data exfiltration
- Monitor for newly created or modified administrative accounts following any suspicious request to the tag workflow
How to Mitigate CVE-2025-24958
Immediate Actions Required
- Upgrade WeGIA to version 3.2.12 or later without delay
- Audit application and database logs for prior exploitation of salvar_tag.php extending back to the deployment date
- Rotate database credentials and session tokens if exploitation cannot be ruled out
- Restrict network exposure of the WeGIA application to trusted networks where feasible
Patch Information
The maintainers fixed the issue in WeGIA 3.2.12. Administrators should pull the patched release from the LabRedesCefetRJ/WeGIA GitHub repository and follow the project's upgrade procedure. The fix is documented in the GitHub Security Advisory GHSA-2mhx-5998-46hx.
Workarounds
- No vendor-supplied workarounds exist; upgrading to 3.2.12 is the only supported remediation
- As a compensating control, place a WAF in front of WeGIA with strict SQL injection rules targeting the salvar_tag.php path
- Reduce the number of accounts authorized to access tag-management functionality until the patch is applied
# Example WAF rule (ModSecurity) blocking SQLi tokens against the vulnerable endpoint
SecRule REQUEST_URI "@contains /salvar_tag.php" \
"id:1002458,\
phase:2,\
deny,\
status:403,\
chain,\
msg:'Potential CVE-2025-24958 SQLi against WeGIA salvar_tag.php'"
SecRule ARGS "@rx (?i)(union(\s)+select|--|;|\bdrop\b|\bdelete\b\s+from)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
