Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54061

CVE-2025-54061: WeGIA SQL Injection Vulnerability

CVE-2025-54061 is a SQL injection vulnerability in WeGIA web manager that allows attackers to manipulate SQL queries and access sensitive database information. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-54061 Overview

CVE-2025-54061 is a SQL injection vulnerability in WeGIA, an open source web manager focused on Portuguese-language charitable institutions. The flaw exists in the idatendido_familiares parameter of the /html/funcionario/dependente_editarDoc.php endpoint. Authenticated attackers can manipulate SQL queries to extract sensitive database information, including table structures and stored records. The vulnerability affects all WeGIA versions prior to 3.4.6 and is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. Version 3.4.6 resolves the issue through proper input handling.

Critical Impact

Authenticated attackers can extract sensitive database contents, including personally identifiable information stored by charitable institutions using WeGIA.

Affected Products

  • WeGIA versions prior to 3.4.6
  • Endpoint: /html/funcionario/dependente_editarDoc.php
  • Parameter: idatendido_familiares

Discovery Timeline

  • 2025-07-17 - CVE-2025-54061 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-54061

Vulnerability Analysis

The vulnerability resides in the dependente_editarDoc.php endpoint within the /html/funcionario/ directory of WeGIA. The application accepts the idatendido_familiares parameter from user input and incorporates it into a SQL query without proper sanitization or parameterization. An attacker with low-privilege authenticated access can submit crafted payloads that alter the structure of the underlying SQL statement.

Successful exploitation breaks the confidentiality, integrity, and availability of data managed by the application. Attackers can enumerate database schemas, extract records from arbitrary tables, and potentially modify stored information. Because WeGIA is deployed by charitable institutions to manage beneficiary and employee data, exfiltrated records may include sensitive personal information.

Root Cause

The root cause is the direct concatenation of untrusted user input into a SQL query string. The dependente_editarDoc.php script does not use prepared statements or bound parameters when processing the idatendido_familiares value. This allows SQL metacharacters to escape the intended query context and execute attacker-controlled SQL fragments.

Attack Vector

The attack is remote and requires network access to the WeGIA application along with low-privilege authenticated credentials. No user interaction is required. An attacker sends an HTTP request to the vulnerable endpoint with a malicious payload in the idatendido_familiares parameter. The injected SQL is executed by the backend database, returning data or modifying records based on the payload structure. See the GitHub Security Advisory GHSA-g47q-vfpj-g9mr for additional technical context.

Detection Methods for CVE-2025-54061

Indicators of Compromise

  • HTTP requests to /html/funcionario/dependente_editarDoc.php containing SQL metacharacters such as single quotes, UNION, SELECT, or comment sequences (--, #) in the idatendido_familiares parameter.
  • Database error messages returned in application responses referencing syntax errors or unexpected query structures.
  • Anomalous database query patterns originating from the WeGIA application, including queries against information_schema tables.

Detection Strategies

  • Inspect web server access logs for requests to dependente_editarDoc.php with suspicious parameter values containing SQL keywords.
  • Deploy web application firewall (WAF) rules that flag SQL injection signatures targeting the idatendido_familiares parameter.
  • Enable database query logging and review for unexpected SELECT operations against system catalogs or non-application tables.

Monitoring Recommendations

  • Correlate authentication events with subsequent requests to the vulnerable endpoint to identify abuse from compromised accounts.
  • Monitor outbound data volumes from the database server for spikes consistent with bulk data extraction.
  • Alert on repeated HTTP 500 responses from the endpoint, which often indicate injection probing.

How to Mitigate CVE-2025-54061

Immediate Actions Required

  • Upgrade WeGIA to version 3.4.6 or later, which contains the official fix for the SQL injection vulnerability.
  • Audit existing user accounts and rotate credentials for any account that may have been used to exploit the endpoint prior to patching.
  • Review database logs for evidence of unauthorized queries against sensitive tables and assess potential data exposure.

Patch Information

The WeGIA maintainers released version 3.4.6 to address CVE-2025-54061. The patch corrects input handling for the idatendido_familiares parameter in /html/funcionario/dependente_editarDoc.php. Full details are available in the GitHub Security Advisory GHSA-g47q-vfpj-g9mr.

Workarounds

  • If immediate patching is not feasible, restrict network access to the /html/funcionario/dependente_editarDoc.php endpoint using application or reverse proxy rules.
  • Deploy a WAF policy that blocks SQL metacharacters and injection signatures in the idatendido_familiares parameter.
  • Limit database user privileges used by the WeGIA application to the minimum required, reducing the impact of successful injection.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne