A high-severity vulnerability has been identified in multiple products from the vendor Polling, including the Campcodes Online Polling System. This flaw could allow a remote, unauthenticated attacker to manipulate or steal sensitive data from the system's database, potentially compromising polling results and user information. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.

The vulnerability is an unauthenticated SQL Injection flaw. An attacker can send a specially crafted request to a public-facing component of the application, injecting malicious SQL commands into a parameter that is not properly sanitized before being used in a database query. Successful exploitation allows an attacker to bypass authentication, read sensitive data from the database (such as user credentials and polling data), modify or delete data, and in some database configurations, potentially execute commands on the underlying operating system.

This vulnerability poses a significant risk to the organization, reflected by its High severity rating with a CVSS score of 7.3. Exploitation could lead to severe consequences, including the unauthorized disclosure of personally identifiable information (PII) of users, manipulation of polling results leading to a loss of data integrity, and reputational damage. The compromise of a polling system undermines trust and could have legal or compliance implications depending on the data involved.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. After patching, it is crucial to review access and application logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Security teams should monitor web application firewall (WAF), web server, and database logs for signs of SQL injection attempts. Look for suspicious patterns in HTTP requests, such as the inclusion of SQL keywords (SELECT, UNION, DROP), operators (--, ', ;), or time-based query functions (SLEEP, BENCHMARK). An increase in database errors or unusual query structures should be investigated promptly.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection attacks. Additionally, consider restricting network access to the application's administrative interfaces to only trusted IP addresses and enhance database activity monitoring to detect anomalous queries.

Public Exploit Available: false

Given the high-severity CVSS score of 7.3 and the critical nature of the potential impact, we strongly recommend that organizations prioritize the immediate deployment of the vendor-supplied patches. Although this vulnerability is not currently listed on the CISA KEV catalog, its characteristics make it an attractive target for attackers. Proactive patching is the most effective defense to prevent potential data breaches, maintain system integrity, and protect organizational reputation.