WeGIA SQL Injection Vulnerability in Category Editing Endpoint

A SQL injection vulnerability has been identified in WeGIA versions through 3.5.4. The issue resides in the '/html/matPat/editar_categoria.php' endpoint, specifically within the 'id_categoria' parameter. The vulnerability arises because the application does not adequately validate and sanitize user inputs, allowing attackers to inject malicious SQL payloads for execution. This could lead to unauthorized access to sensitive database information, data manipulation, and operational disruptions.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, potentially leading to unauthorized access to sensitive data, database enumeration, and depending on the database configuration, escalation to remote code execution. Additionally, if chained with other vulnerabilities, it could result in a full application compromise.

Reproduction

To reproduce this vulnerability, log in to the application to obtain a session cookie. Then, send a request to the '/html/matPat/editar_categoria.php' endpoint with an 'id_categoria' payload that includes a SQL injection, such as a UNION SELECT payload. This will demonstrate the injection by, for example, retrieving the database version.

Remediation

Users can upgrade to WeGIA version 3.5.5, where this vulnerability has been patched.