A critical vulnerability has been identified in Logo Software Diva, assigned CVE-2024-13151. This flaw, a severe SQL injection, allows an unauthenticated attacker to bypass all authorization controls and gain complete control over the application's database. Successful exploitation could lead to total data loss, theft of sensitive information, and full system compromise.

The vulnerability is a CWE-89 SQL Injection flaw that allows for a complete authorization bypass. An attacker can manipulate a user-controlled primary key value, likely an ID parameter in a URL or API request, to inject malicious SQL commands directly into the backend database query. Because the application fails to properly sanitize this input, the attacker's code is executed by the database, allowing them to circumvent security checks and perform actions as a privileged user, including reading, modifying, or deleting any data in the database.

This vulnerability is rated as critical severity with a CVSS score of 10.0, indicating the highest possible risk. A successful exploit would grant an attacker complete control over the application's database, leading to a total loss of confidentiality, integrity, and availability. Potential consequences include the exfiltration of sensitive corporate or customer data, fraudulent data manipulation, and service-wide disruption or destruction. This could result in severe reputational damage, significant financial losses, and potential regulatory fines for data breaches.

Immediate Action: Immediately apply the latest security updates provided by Logo Software to all instances of the affected products. Prioritize patching for systems that are exposed to the internet. After patching, monitor for any signs of exploitation attempts and review historical access logs for indicators of compromise.

Proactive Monitoring: Implement enhanced monitoring of web server and database logs. Specifically, search for suspicious SQL syntax within HTTP requests, such as UNION SELECT, ' OR '1'='1, --, SLEEP(), or other database-specific commands. Monitor for an unusual volume of database errors or unexpected application behavior, which could indicate scanning or exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules designed to detect and block SQL injection attacks. Restrict access to the application at the network level to only trusted IP addresses. Ensure the application's database service account is configured with the principle of least privilege to limit the potential impact of a successful breach.

Public Exploit Available: false

This vulnerability poses a critical and immediate threat to the organization. Due to the perfect CVSS score of 10.0, remediation must be treated as the highest priority. All system owners must apply the vendor-supplied patches without delay to prevent a full system compromise. Although this CVE is not currently on the CISA KEV list, its severity makes it a likely candidate for future inclusion, and organizations should act as if exploitation is imminent.