Featured image of post CVE-2025-53527
SQL Injection High WeGia Security WebApp

CVE-2025-53527

SQL Injection

CVE-2025-53527: SQL Injection Vulnerability in tipo and responsavel Parameters on relatorio_geracao.php Endpoint

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-53527

Summary

A SQL Injection vulnerability was identified in the tipo and responsavel parameters of the /controle/relatorio_geracao.php endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data.

Details

Vulnerable Endpoint: /controle/relatorio_geracao.php

Parameters: tipo and responsavel

PoC

Normal Request:

SQL Injection parameter tipo

Payload:

1

  ;SELECT SLEEP(10)#

SQL Injection parameter responsavel

Payload:

1

  ;SELECT SLEEP(10)#

Impact

  • Unauthorized access to sensitive data: An attacker can access confidential information such as credentials, personal or financial data.
  • Compromise of user accounts: Using stolen credentials, attackers can gain full access to the application and perform actions on behalf of legitimate users.
  • Data exfiltration: Possibility of stealing large volumes of information by dumping entire database tables.
  • Reputational damage: Exposing customer data or business information can significantly harm the organization's image.
  • Execution of chain attacks: Obtained information can be used to carry out new attacks, such as targeted phishing or attacks on interconnected systems.

Reference

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-43xw-c4g6-jgff

Finder

Natan Maia Morette

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy