Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62177

CVE-2025-62177: Wegia SQL Injection Vulnerability

CVE-2025-62177 is a SQL injection vulnerability in Wegia that allows attackers to execute arbitrary SQL commands through the id_funcionario parameter. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-62177 Overview

CVE-2025-62177 is a SQL Injection vulnerability [CWE-89] in WeGIA, an open source web manager for institutions targeting Portuguese language users. The flaw affects the /html/funcionario/dependente_listar.php endpoint, where the id_funcionario POST parameter is passed directly into a database query without sanitization. Authenticated attackers can inject arbitrary SQL commands to read, modify, or destroy database contents. The vulnerability impacts all WeGIA versions prior to 3.5.1 and is fixed in release 3.5.1.

Critical Impact

Successful exploitation compromises the confidentiality, integrity, and availability of the WeGIA database, exposing institutional records and dependent information stored by the application.

Affected Products

  • WeGIA versions prior to 3.5.1
  • Component: wegia:wegia
  • Vulnerable endpoint: /html/funcionario/dependente_listar.php

Discovery Timeline

  • 2025-10-13 - CVE-2025-62177 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-62177

Vulnerability Analysis

The vulnerability resides in html/funcionario/dependente_listar.php, a script that lists dependents associated with an employee record. The script reads the id_funcionario value from the HTTP POST body using $_POST["id_funcionario"] and concatenates it directly into a SQL statement executed through the PDO connection.

Because the parameter is neither validated, type-cast, nor parameterized, attackers with authenticated access to the application can supply crafted SQL fragments. Injected payloads execute with the privileges of the database account used by WeGIA, enabling extraction of arbitrary tables, modification of records, and potential destruction of data.

The vulnerability is categorized as Improper Neutralization of Special Elements used in an SQL Command [CWE-89]. EPSS data indicates a probability of 0.48% with a percentile of 37.867, reflecting baseline exploitation likelihood.

Root Cause

The root cause is direct use of unsanitized user-controlled input in a SQL query. The vulnerable code path retrieves $_POST["id_funcionario"] without filtering, type validation, or use of prepared statements. The lack of an integer cast or parameter binding allows SQL metacharacters and clauses to reach the database engine intact.

Attack Vector

The attack vector is network-based and requires high privileges, meaning the attacker must hold an authenticated session within WeGIA. Once authenticated, the attacker issues a POST request to /html/funcionario/dependente_listar.php with a malicious id_funcionario value. No user interaction is required to trigger execution.

php
// Patch from html/funcionario/dependente_listar.php (sanitized excerpt)
// Source: https://github.com/LabRedesCefetRJ/WeGIA/commit/017fdd71380ab898570752aebc3fe1ef318a5d0d

<?php
if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

if (!isset($_SESSION["usuario"])) {
    header("Location: ../../index.php");
    exit();
} else {
    session_regenerate_id();
}

// Verifica Permissão do Usuário
require_once dirname(__FILE__, 2) . DIRECTORY_SEPARATOR . 'permissao' . DIRECTORY_SEPARATOR . 'permissao.php';
permissao($_SESSION['id_pessoa'], 11, 7);

try {
    $idFuncionario = filter_input(INPUT_POST, 'id_funcionario', FILTER_SANITIZE_NUMBER_INT);

    if (!$idFuncionario || $idFuncionario < 1) {
        throw new InvalidArgumentException('O id do funcionário informado não é válido.', 400);
    }

The patch replaces direct use of $_POST["id_funcionario"] with filter_input() using FILTER_SANITIZE_NUMBER_INT and adds bounds validation before the value reaches the query.

Detection Methods for CVE-2025-62177

Indicators of Compromise

  • POST requests to /html/funcionario/dependente_listar.php containing SQL syntax such as UNION, SELECT, --, ', or OR 1=1 within the id_funcionario parameter.
  • Unusual database errors logged by the WeGIA PHP application referencing the dependente_listar.php script.
  • Spikes in response size or response time from the affected endpoint, suggesting data exfiltration via UNION-based injection.

Detection Strategies

  • Inspect web server access logs for non-numeric values submitted in the id_funcionario POST parameter.
  • Deploy WAF rules that match SQL injection patterns specifically scoped to the WeGIA endpoint path.
  • Enable database query logging to identify queries containing concatenated identifiers from the funcionario and dependente tables.

Monitoring Recommendations

  • Alert on authenticated user sessions issuing repeated POST requests to dependente_listar.php outside normal staff workflow patterns.
  • Monitor for outbound data transfers from the application server immediately following requests to vulnerable endpoints.
  • Track failed and successful permission checks via permissao.php to identify abuse of authenticated accounts.

How to Mitigate CVE-2025-62177

Immediate Actions Required

  • Upgrade WeGIA to version 3.5.1 or later, which contains the official fix for CVE-2025-62177.
  • Audit existing user accounts and revoke unused or privileged sessions that could be leveraged to exploit the endpoint.
  • Review database logs for anomalous queries against the dependents and employee tables since the application was deployed.

Patch Information

The fix is committed in WeGIA commit 017fdd71 and documented in GitHub Security Advisory GHSA-4wrg-g9cj-hjcx. The patch applies filter_input() with FILTER_SANITIZE_NUMBER_INT, validates the resulting integer, regenerates the session ID, and reinforces permission checks before query execution.

Workarounds

  • If immediate upgrade is not possible, restrict network access to /html/funcionario/dependente_listar.php via reverse proxy or WAF rules.
  • Deploy a WAF signature that rejects POST requests where id_funcionario contains non-numeric characters.
  • Reduce database account privileges used by WeGIA to the minimum required, limiting the blast radius of successful injection.
bash
# Example nginx rule blocking non-numeric id_funcionario values
location /html/funcionario/dependente_listar.php {
    if ($request_method = POST) {
        if ($request_body !~* "id_funcionario=[0-9]+(&|$)") {
            return 403;
        }
    }
    proxy_pass http://wegia_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.