OS Command Injection in WeGIA Web Manager for Charitable Institutions
CVE-2025-27140

10CRITICAL

Key Information:

Vendor
Labredescefetrj
Status
Wegia
Vendor
CVE Published:
24 February 2025

Summary

The WeGIA Web Manager for charitable institutions is vulnerable to an OS Command Injection flaw found in the importar_dump.php endpoint. This vulnerability affects versions prior to 3.2.15, enabling attackers to potentially execute arbitrary commands remotely. Given that the exploit allows for the manipulation of temporary files, unauthorized webshell uploads may also be feasible. It is crucial for users of WeGIA to upgrade to version 3.2.15 or later to mitigate this risk.

Affected Version(s)

WeGIA < 3.2.15

References

https://github.com/LabRedesCefetRJ/WeGIA/security/advisor...
x_refsource_CONFIRM
https://github.com/LabRedesCefetRJ/WeGIA/commit/7d0df8c9a...
x_refsource_MISC

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.