Featured image of post CVE-2025-53938
Broken Access Control Moderate WeGia Security WebApp

CVE-2025-53938

Broken Access Control

CVE-2025-53938: Authentication Bypass due to Missing Session Validation in multiple endpoints

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-53938

Summary

An Authentication Bypass vulnerability was identified in the /dao/verificar_recursos_cargo.php endpoint of the WeGia application. This vulnerability allows unauthenticated users to access protected application functionalities and retrieve sensitive information by sending crafted HTTP requests without any session cookies or authentication tokens.

Details

Vulnerable Endpoints:

  • /dao/verificar_recursos_cargo.php
  • /dao/exibir_cargo.php
  • /dao/verificar_modulos_visiveis.php
  • /dao/exibir_documento.php
  • /dao/adicionar_documento.php

Authentication Required:

  • ❌ No

PoC

Impact

The lack of session validation in this endpoint can lead to several security risks:

  • Unauthorized Data Exposure: Unauthenticated users can enumerate or retrieve sensitive internal data.
  • Privilege Escalation: Attackers might access or infer information intended only for authorized users.
  • Information Disclosure: Business logic and internal IDs (like user roles or permissions) can be leaked.
  • Reconnaissance Support: Facilitates attackers in mapping backend structures for more targeted attacks.

Reference

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6p76-7mm4-j5rj

Finder

Marcelo Queiroz

Contributor

Natan Maia Morette

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy