Featured image of post CVE-2025-22141
SQL Injection Critical WeGia Security WebApp

CVE-2025-22141

SQL Injection

CVE-2025-22141: SQL Injection (Blind Time-Based) endpoint verificar_recursos_cargo.php parameter cargo

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-22141

Summary

A SQL Injection vulnerability was identified in the /dao/verificar_recursos_cargo.php endpoint, specifically in the cargo parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database.

Details

Vulnerable Endpoint: /dao/verificar_recursos_cargo.php

Parameter: cargo

The application fails to properly validate and sanitize user inputs in the cargo parameter. This allows attackers to inject malicious SQL payloads that are executed directly by the database. This could result in unauthorized access to sensitive information, data manipulation, and operational disruptions.

POC

Payload:

1

  AND (SELECT 7525 FROM (SELECT(SLEEP(20)))PXhT)

This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.

Observe the time delay in the server response, indicating the successful execution of the SQL payload.

Impact

  • Data exfiltration.
  • Unauthorized access.
  • Data manipulation.
  • Application disruption.
  • Reconnaissance and enumeration.
  • Compromising user credentials.
  • Business impact.

Reference

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w7hp-2w2c-p636

Finder

Elisangela Mendonça

Contributors

Diego Castro

Natan Maia Morette

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy