← voltar
CVE-2025-22133

WeGIA Allows Arbitrary File Upload with Remote Code Execution (RCE)

CVSS 10 CRITICALEPSS 0.7%CWE-434CWE-94
Vexday Risk Score
28Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 10EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
07 jan 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Produtos afetados
nilsonLazarin · WeGIA