CVE-2025-54060 Overview
CVE-2025-54060 is a SQL injection vulnerability in WeGIA, an open source web manager focused on Portuguese-language charitable institutions. The flaw affects versions prior to 3.4.6 and resides in the idatendido_familiares parameter of the /html/funcionario/dependente_editarInfoPessoal.php endpoint. Authenticated attackers can manipulate SQL queries to extract sensitive database contents, including table structures and stored records. The maintainers released version 3.4.6 to remediate the issue. The vulnerability maps to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Attackers with low-privileged access can exfiltrate sensitive database contents and pivot to compromise the confidentiality, integrity, and availability of the WeGIA application.
Affected Products
- WeGIA versions prior to 3.4.6
- Vendor: LabRedesCefetRJ (WeGIA project)
- Component: wegia:wegia
Discovery Timeline
- 2025-07-17 - CVE-2025-54060 published to NVD
- 2025-07-30 - Last updated in NVD database
Technical Details for CVE-2025-54060
Vulnerability Analysis
The vulnerability stems from unsanitized user input passed to a SQL query in the dependente_editarInfoPessoal.php endpoint. The idatendido_familiares request parameter is concatenated into a SQL statement without parameterized queries or input validation. An authenticated attacker can supply crafted payloads that alter the query logic, enabling extraction of arbitrary database records.
Because WeGIA is deployed by charitable institutions to manage staff, beneficiaries, and dependents, the backing database typically contains personal data. Successful exploitation enables disclosure of names, identification numbers, financial records, and other regulated information. The flaw is classified under CWE-89.
Root Cause
The root cause is improper neutralization of special elements in a SQL command. The endpoint constructs SQL using direct string concatenation of the idatendido_familiares parameter. The application does not apply prepared statements, bound parameters, or context-aware escaping before query execution.
Attack Vector
The attack vector is network-based and requires low-privileged authentication to the WeGIA application. The attacker sends a crafted HTTP request to /html/funcionario/dependente_editarInfoPessoal.php with a malicious idatendido_familiares value. Typical exploitation techniques include UNION-based extraction, boolean-based blind injection, and time-based blind injection to enumerate schemas and exfiltrate rows. No user interaction is required beyond an authenticated session.
No verified public proof-of-concept code is available. See the WeGIA GitHub Security Advisory GHSA-mw78-c4f6-2hq7 for additional technical context.
Detection Methods for CVE-2025-54060
Indicators of Compromise
- HTTP requests to /html/funcionario/dependente_editarInfoPessoal.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the idatendido_familiares parameter.
- Database server logs showing unexpected UNION, INFORMATION_SCHEMA, or SLEEP queries originating from the WeGIA application user.
- Unusual response time variance on the affected endpoint, consistent with time-based blind injection.
- Authenticated sessions issuing high volumes of requests to the dependent editing endpoint outside normal business workflows.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect the idatendido_familiares parameter for SQL injection signatures.
- Enable database query logging and alert on queries referencing INFORMATION_SCHEMA or system tables from the WeGIA service account.
- Correlate web server access logs with database audit logs to identify injection attempts followed by anomalous query patterns.
Monitoring Recommendations
- Track all POST and GET traffic to /html/funcionario/dependente_editarInfoPessoal.php and baseline normal parameter values.
- Monitor authenticated user sessions for sudden access to dependent management endpoints from atypical IP ranges.
- Forward web, application, and database logs to a centralized analytics platform for cross-source correlation and retention.
How to Mitigate CVE-2025-54060
Immediate Actions Required
- Upgrade WeGIA to version 3.4.6 or later without delay.
- Audit application and database logs for evidence of prior exploitation of the idatendido_familiares parameter.
- Rotate database credentials and review the WeGIA service account permissions following any suspected compromise.
- Restrict access to the WeGIA application to trusted networks where feasible.
Patch Information
The WeGIA maintainers fixed the vulnerability in version 3.4.6. Patch details and remediation guidance are published in the WeGIA GitHub Security Advisory GHSA-mw78-c4f6-2hq7. Administrators should deploy the upgrade by following the standard WeGIA update procedure and verify the installed version after deployment.
Workarounds
- If immediate patching is not possible, place a WAF in front of WeGIA with rules blocking SQL metacharacters in the idatendido_familiares parameter.
- Apply least-privilege principles to the database account used by WeGIA, removing rights to read unrelated tables or schemas.
- Temporarily restrict the /html/funcionario/dependente_editarInfoPessoal.php endpoint to a limited set of administrative IP addresses until the patch is deployed.
# Example ModSecurity rule to block SQLi patterns in the vulnerable parameter
SecRule ARGS:idatendido_familiares "@rx (?i)(union(\s)+select|sleep\s*\(|--|;|/\*)" \
"id:1054060,phase:2,deny,status:403,log,msg:'CVE-2025-54060 WeGIA SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
