CVE-2024-12918

Agito Computer · Health4All

An SQL injection vulnerability in Agito Computer's Health4All application allows attackers to inject malicious SQL code into database queries.

Executive summary

A high-severity SQL injection vulnerability in the Agito Computer Health4All application allows unauthorized database manipulation and potential data theft.

Vulnerability

The vulnerability is an improper neutralization of special elements used in an SQL command (SQL Injection). Attackers can inject malicious SQL code through application input fields or parameters, leading to unauthorized database access, modification, or deletion.

Business impact

With a CVSS score of 8.8, this vulnerability is critical. Successful exploitation could lead to the compromise of sensitive medical or personal information, resulting in significant legal, financial, and reputational consequences.

Remediation

Immediate Action: Update Agito Computer Health4All to version 10.01.2025 or later.

Proactive Monitoring: Monitor database logs for unusual query patterns and enable query logging to detect injection attempts.

Compensating Controls: Use a Web Application Firewall (WAF) to filter and block malicious input that could be leveraged for SQL injection.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Protecting sensitive health data is paramount. Organizations using the Health4All application must upgrade to the latest version immediately to remediate this SQL injection vulnerability and prevent potential unauthorized access to clinical or patient data.