Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-bm4u-wawy-57g8 |
|---|
| Summary | WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only check MIME types for Excel files at endpoint `/html/socio/sistema/controller/controla_xlsx.php`, which can be bypassed by using magic bytes of Excel file in a PHP file. As a result, attacker can upload webshell to the server for remote code execution. Version 3.4.11 contains an updated fix. |
|---|
| Aliases |
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
| 0 |
| cwe_id |
94 |
| name |
Improper Control of Generation of Code ('Code Injection') |
| description |
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
|
| 1 |
| cwe_id |
434 |
| name |
Unrestricted Upload of File with Dangerous Type |
| description |
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. |
|
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 10.0 - 10.0 |
|---|
| Exploitability | null |
|---|
| Weighted_severity | null |
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-bm4u-wawy-57g8 |
|---|