CVE-2025-24902 | THREATINT

Description

WeGIA is a Web Manager for Charitable Institutions. A SQL Injection vulnerability was discovered in the WeGIA application, `salvar_cargo.php` endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries, allowing access to or deletion of sensitive information. This issue has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

PUBLISHED Reserved 2025-01-27 | Published 2025-02-03 | Updated 2025-08-22 | Assigner GitHub_M

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

< 3.2.12

affected

References

github.com/.../WeGIA/security/advisories/GHSA-pg73-w9vx-8mgp

github.com/...ommit/f535e873a8f26fe413d21f22e3eacc8c79b2fa7f

cve.org (CVE-2025-24902)

nvd.nist.gov (CVE-2025-24902)