cve-2025-50201
Vulnerability from cvelistv5
Published
2025-06-19 03:34
Modified
2025-06-23 17:00
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
WeGIA OS Command Injection in debug_info.php parameter 'branch'
References
security-advisories@github.comhttps://github.com/LabRedesCefetRJ/WeGIA/commit/45f32ad1d52775fc99f3c90075c8136c6d4d1d3dPatch
security-advisories@github.comhttps://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-52p5-5fmw-9hrfExploit, Vendor Advisory
Impacted products
LabRedesCefetRJWeGIA
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-50201",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-23T16:59:52.920151Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-23T17:00:13.496Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WeGIA",
          "vendor": "LabRedesCefetRJ",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.4.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, an OS Command Injection vulnerability was identified in the /html/configuracao/debug_info.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server\u0027s operating system. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user (www-data). This issue has been patched in version 3.4.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T03:34:29.859Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-52p5-5fmw-9hrf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-52p5-5fmw-9hrf"
        },
        {
          "name": "https://github.com/LabRedesCefetRJ/WeGIA/commit/45f32ad1d52775fc99f3c90075c8136c6d4d1d3d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/45f32ad1d52775fc99f3c90075c8136c6d4d1d3d"
        }
      ],
      "source": {
        "advisory": "GHSA-52p5-5fmw-9hrf",
        "discovery": "UNKNOWN"
      },
      "title": "WeGIA OS Command Injection in debug_info.php parameter \u0027branch\u0027"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-50201",
    "datePublished": "2025-06-19T03:34:29.859Z",
    "dateReserved": "2025-06-13T19:17:51.728Z",
    "dateUpdated": "2025-06-23T17:00:13.496Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-50201\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-19T04:15:49.340\",\"lastModified\":\"2025-07-02T16:21:03.237\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, an OS Command Injection vulnerability was identified in the /html/configuracao/debug_info.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server\u0027s operating system. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server with the privileges of the web server user (www-data). This issue has been patched in version 3.4.2.\"},{\"lang\":\"es\",\"value\":\"WeGIA es un gestor web para instituciones ben\u00e9ficas. Antes de la versi\u00f3n 3.4.2, se identific\u00f3 una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en el endpoint /html/configuracao/debug_info.php. El par\u00e1metro de la rama no se depur\u00f3 correctamente antes de concatenarse y ejecutarse en un comando de shell en el sistema operativo del servidor. Esta falla permite que un atacante no autenticado ejecute comandos arbitrarios en el servidor con los privilegios del usuario del servidor web (www-data). Este problema se ha corregido en la versi\u00f3n 3.4.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.4.2\",\"matchCriteriaId\":\"022D4962-31E5-4F15-A0A0-38FB13114C45\"}]}]}],\"references\":[{\"url\":\"https://github.com/LabRedesCefetRJ/WeGIA/commit/45f32ad1d52775fc99f3c90075c8136c6d4d1d3d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-52p5-5fmw-9hrf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.