A critical vulnerability has been discovered in multiple products from the vendor "RevelaCode is an". This flaw allows an unauthenticated remote attacker to easily obtain the full database connection credentials, leading to a complete compromise of the application's data. Successful exploitation would grant an attacker unrestricted access to read, modify, and delete all information stored by the service, posing a severe risk to data confidentiality, integrity, and availability.

The vulnerability exists due to the improper handling of database connection strings within the application's API. In affected versions, a full MongoDB Atlas URI, which includes embedded plaintext usernames and passwords, is leaked in server error responses. An unauthenticated remote attacker can intentionally trigger a specific, predictable error condition by sending a malformed request to a public-facing API endpoint. The resulting error message inadvertently discloses the complete connection string, providing the attacker with the credentials needed to connect directly to the database with administrative privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have catastrophic consequences for the organization. An attacker with direct database access can exfiltrate all user data, which, given the nature of the "faith-tech" project, may be highly sensitive and personal. This would result in a major data breach, leading to severe reputational damage, loss of user trust, and potential legal and regulatory penalties under data protection laws. Furthermore, the attacker could manipulate or delete data, causing a complete disruption of the service and rendering the application unusable.

Immediate Action: Immediately upgrade all instances of RevelaCode is an Multiple Products to version 1.0.1 or later, as recommended by the vendor. After patching, it is critical to rotate the MongoDB Atlas database credentials to invalidate the previously exposed connection string.

Proactive Monitoring: Review historical and real-time web server and application logs for requests that may have triggered the vulnerability, such as those resulting in 5xx server errors from the application's API endpoints. Monitor network traffic for any direct connections to the MongoDB Atlas cluster from untrusted or unexpected IP addresses. Implement alerts for any unauthorized access attempts or anomalous query patterns observed in the database logs.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Rotate Credentials: Immediately rotate the database credentials to invalidate any already-leaked connection strings.
• IP Whitelisting: Configure MongoDB Atlas network access rules to only allow connections from the specific IP addresses of the application servers, blocking all other external access attempts.
• Web Application Firewall (WAF): Deploy a WAF rule to inspect and block inbound requests that match the pattern known to trigger the information leak.

Public Exploit Available: false

This vulnerability represents a critical and immediate threat to the organization. Due to the high risk of a complete data compromise, remediation must be treated as the highest priority. We strongly recommend immediate action by applying the vendor-supplied patch to all affected systems and rotating all database credentials without delay. Although this CVE is not currently on the CISA KEV list, its critical nature makes it a prime candidate for future inclusion, and organizations should operate under the assumption that it will be actively targeted by threat actors.