CVE-2025-61665
BaseFortify
Publication date: 2025-10-02
Last updated on: 2025-10-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wegia | wegia | to 3.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in WeGIA versions 3.4.12 and below, specifically in the get_relatorios_socios.php endpoint. It allows unauthenticated attackers to access sensitive personal and financial information of members without needing to authenticate or have authorization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive personal and financial data of members, potentially resulting in privacy breaches, identity theft, financial fraud, and damage to the reputation of the affected charitable institution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can cause non-compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to sensitive personal and financial information, violating requirements for data confidentiality and access controls.
What immediate steps should I take to mitigate this vulnerability?
Upgrade WeGIA to version 3.5.0 or later, as this version contains the fix for the Broken Access Control vulnerability in the get_relatorios_socios.php endpoint. Until the upgrade is applied, restrict access to the vulnerable endpoint to trusted users only, if possible.