Featured image of post CVE-2025-22140
SQL Injection Critical WeGia Security WebApp

CVE-2025-22140

SQL Injection

CVE-2025-22140: SQL Injection (Blind Time-Based) endpoint dependente_listar_um.php parameter id_dependente

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-22140

Summary

A SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar_um.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.

Details

Vulnerable Endpoint: /html/funcionario/dependente_listar_um.php

Parameter: id_dependente

The application fails to validate and sanitize user inputs in the id_dependente parameter. This allows attackers to inject malicious SQL payloads that are executed directly by the database. This could result in unauthorized access to sensitive information, data manipulation, and operational disruptions.

POC

Payload:

1

  AND (SELECT 7525 FROM (SELECT(SLEEP(20)))PXhT)

This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.

Observe the time delay in the server response, indicating the successful execution of the SQL payload.

Impact

  • Data exfiltration.
  • Unauthorized access.
  • Data manipulation.
  • Application disruption.
  • Reconnaissance and enumeration.
  • Compromising user credentials.
  • Business impact.

Reference

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xrjq-57mq-4hf8

Finder

Elisangela Mendonça

Contributors

Diego Castro

Natan Maia Morette

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy