WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authentication Bypass) can execute arbitrary OS commands on the server by uploading a backup file with a specifically crafted filename. Version 3.6.5 fixes the issue.
The vulnerability occurs in the database restore function of the WeGIA application. The attacker uploads a backup file with a specially crafted filename that contains malicious system commands. The application does not properly sanitize the uploaded filename before using it in a system command call (CWE-78), leading to execution of embedded commands with the privileges of the server process.
The attacker gains the ability to execute arbitrary operating system commands on the server, which may lead to complete system takeover, data theft, data destruction, or further lateral movement in the network.
The WeGIA application should be updated to version 3.6.5, which eliminates the described vulnerability. Details available in the vendor references: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-5m5g-q2vv-rv3r
WeGIA application in versions before 3.6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWegia
APPWegia< 3.6.5
Related vulnerabilities
SQL Injection w WeGIA — kompromitacja bazy danych przez parametr id_produto
Reflected XSS w WeGIA — wstrzyknięcie kodu przez parametr sccd
Reflected XSS w WeGIA — wstrzyknięcie kodu JS przez parametr GET
SQL Injection w WeGIA – nieautoryzowane wykonanie poleceń SQL
WeGIA – pominięcie uwierzytelnienia w adicionar_tipo_docs_atendido.php