CVE-2025-53938 MEDIUM

CVE-2025-53938: WeGIA vulnerable to Authentication Bypass due to Missing Session Validation in multiple endpoints

Vendor Labredescefetrj
Product WeGIA
Weakness CWE-306 · Missing auth
Published July 16, 2025
Last update July 18, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Authentication Bypass vulnerability was identified in the `/dao/verificar_recursos_cargo.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows unauthenticated users to access protected application functionalities and retrieve sensitive information by sending crafted HTTP requests without any session cookies or authentication tokens. Version 3.4.5 fixes the issue.

Key dates

02Disclosure timeline

July 16, 2025 CVE published
July 18, 2025 Record updated