A critical SQL injection vulnerability has been discovered in multiple products from the Austrian Archaeological Institute, including OpenAtlas v8.11.0. This flaw allows an unauthenticated attacker to execute arbitrary commands on the backend database, potentially leading to a complete compromise of the application's data. Successful exploitation could result in the theft, modification, or deletion of sensitive archaeological research data.

The application is vulnerable to SQL injection. An unauthenticated remote attacker can inject malicious SQL queries into user-supplied input fields that are not properly sanitized before being passed to the database. By crafting a specific payload, the attacker can bypass security controls and directly interact with the database to exfiltrate sensitive information, modify or delete records, and in some configurations, execute commands on the underlying operating system.

This vulnerability is rated as Critical with a CVSS score of 9.1. Exploitation could have a severe impact on the organization's operations and reputation. An attacker could gain unauthorized access to the entire database, which may contain irreplaceable historical and archaeological research data. The specific risks include the theft of intellectual property, manipulation of research data leading to a loss of academic integrity, complete data destruction, and potential disruption of the OpenAtlas service.

Immediate Action: Immediately apply the security updates provided by the Austrian Archaeological Institute to all affected products. Prioritize patching public-facing instances of OpenAtlas and other vulnerable applications to the latest secure version.

Proactive Monitoring: Implement enhanced monitoring on web and database servers. Review web server access logs and Web Application Firewall (WAF) logs for suspicious patterns indicative of SQL injection attempts, such as ' OR '1'='1', UNION SELECT, SLEEP(), and other SQL keywords in request parameters. Monitor database logs for unusual or unauthorized queries.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules designed to detect and block SQL injection attacks. Restrict access to the application at the network level, allowing connections only from trusted IP ranges. Ensure the application's database user account adheres to the principle of least privilege, limiting its permissions to prevent severe damage.

Public Exploit Available: false

Due to the critical severity (CVSS 9.1) of this vulnerability, immediate action is required. We strongly recommend that the organization prioritizes patching all affected systems without delay. Although there is no evidence of active exploitation, the risk of data compromise is significant. Until patching is complete, the compensating controls listed above should be implemented to reduce the attack surface and mitigate potential impact.