WeGIA Remote Code Execution Vulnerability

A remote code execution vulnerability exists in WeGIA versions prior to 3.4.11. This issue arises from improper validation of uploaded files, allowing attackers to upload files with arbitrary names, including those with a .php extension. The application writes these files directly to disk without sufficient sanitization or extension restrictions. As a result, it is possible to upload a spreadsheet file embedded with PHP code, which can then be executed on the server, leading to arbitrary code execution. This vulnerability is a continuation of the issues addressed in CVE-2025-22133.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary commands on the server with the privileges of the web server user. This could lead to unauthorized access to sensitive data, manipulation of that data, compromise of the database, and potentially escalate privileges for full system control.

Reproduction

To reproduce this vulnerability, upload a spreadsheet file (either .xls or .xlsx) through the application's file upload feature. Intercept the upload request and modify the filename to include a .php extension, appending PHP code after the spreadsheet content. Once the file is uploaded, retrieve the new filename from the server's response, which will include a random prefix. Access the file directly to execute the embedded PHP code.

Remediation

Users are advised to update to WeGIA version 3.4.11 or later, where this vulnerability has been patched.