Vulnerability Description
WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only check MIME types for Excel files at endpoint `/html/socio/sistema/controller/controla_xlsx.php`, which can be bypassed by using magic bytes of Excel file in a PHP file. As a result, attacker can upload webshell to the server for remote code execution. Version 3.4.11 contains an updated fix.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wegia | Wegia | < 3.4.11 |
Related Weaknesses (CWE)
References
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq96-gvmx-qrwpExploitThird Party Advisory
- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq96-gvmx-qrwpExploitThird Party Advisory
FAQ
What is CVE-2025-58745?
CVE-2025-58745 is a vulnerability with a CVSS score of 9.9 (CRITICAL). WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only check MIME types for Excel files at e...
How severe is CVE-2025-58745?
CVE-2025-58745 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-58745?
Check the references section above for vendor advisories and patch information. Affected products include: Wegia Wegia.