WeGIA SQL Injection Vulnerability in query_geracao_auto.php Prior to Version 3.2.8

A SQL injection vulnerability has been identified in WeGIA, a web management tool for charitable institutions, in versions prior to 3.2.8. The issue resides in the endpoint '/WeGIA/html/socio/sistema/controller/query_geracao_auto.php', specifically within the query parameter. This vulnerability allows attackers to execute arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the database.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of SQL commands, allowing attackers to exfiltrate sensitive database information, escalate privileges, compromise the database for further attacks, or cause a denial-of-service condition through advanced payloads.

Reproduction

To reproduce this vulnerability, send a POST request to '/WeGIA/html/socio/sistema/controller/query_geracao_auto.php' with a crafted 'query' parameter that includes the SQL injection payload. The request must be made with the appropriate headers to simulate an XMLHttpRequest.

Remediation

Users can upgrade to WeGIA version 3.2.8 or later to address this vulnerability.