A high-severity vulnerability has been discovered in Polling's Campcodes Online Polling System 1. This flaw could allow an unauthenticated remote attacker to access and potentially manipulate sensitive poll data and user information stored in the system's database. Organizations using the affected software are at significant risk of data breaches and loss of system integrity.

The vulnerability is an unauthenticated SQL Injection flaw within a public-facing component of the polling application. An attacker can send specially crafted input to the application's web server, which is then improperly processed and executed as a direct database query. This allows a remote attacker, without needing any credentials, to bypass security controls and interact directly with the backend database to exfiltrate, modify, or delete sensitive information, including poll results, voter data, and potentially administrative credentials.

This vulnerability is rated as High severity with a CVSS score of 7.3, posing a significant risk to the organization. Successful exploitation could lead to a severe data breach, compromising personally identifiable information (PII) of users and undermining the integrity of polling results. The business impact includes severe reputational damage, loss of customer trust, regulatory fines for data privacy violations, and the potential for a complete system compromise if administrative credentials are stolen from the database.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by the vendor immediately across all affected systems. After patching, it is crucial to monitor for any signs of post-patch exploitation attempts and thoroughly review historical access and database logs for indicators of a prior compromise.

Proactive Monitoring: Implement enhanced monitoring of web server and database logs. Look for suspicious requests containing SQL keywords (e.g., SELECT, UNION, '--, OR 1=1), unusual error messages from the database, and unexpected spikes in data egress from the database server. Configure alerts for multiple failed login attempts or anomalous queries executed by the application's service account.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection attack patterns. Restrict network access to the application's administrative interfaces to only trusted IP addresses. Ensure the application's database user account is configured with the principle of least privilege, limiting its ability to perform destructive actions.

Public Exploit Available: false

Given the high severity (CVSS 7.3) of this vulnerability and its potential for unauthenticated exploitation, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied patches. Although this CVE is not currently listed on the CISA KEV list, its impact on data confidentiality and integrity makes it a highly attractive target for attackers. All instances of the affected software should be considered at high risk and must be patched and monitored without delay.