CVE-2025-58745
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wegia | wegia | to 3.4.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an arbitrary file upload issue in WeGIA, a web manager for charitable institutions. The system only checks MIME types for Excel files at a specific endpoint, but this check can be bypassed by embedding Excel file magic bytes inside a PHP file. This allows an attacker to upload a malicious webshell to the server, enabling remote code execution.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can upload a webshell to the server, which allows them to execute arbitrary code remotely. This can lead to full compromise of the server, including data theft, data manipulation, service disruption, or further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade WeGIA to version 3.4.11 or later, which contains the updated fix for this arbitrary file upload vulnerability. Additionally, review and restrict file upload mechanisms to ensure proper validation beyond MIME type checks, especially at the endpoint `/html/socio/sistema/controller/controla_xlsx.php`.