A high-severity vulnerability has been identified in multiple Inventory products, specifically the Campcodes Sales and Inventory System. If exploited, this flaw could allow an unauthenticated attacker to access and exfiltrate sensitive business data, including sales records, customer information, and inventory details. Organizations are urged to apply the vendor-supplied security patch immediately to mitigate the risk of a potential data breach.

The vulnerability is an unauthenticated SQL Injection flaw within the web-based interface of the inventory system. An attacker can send a specially crafted HTTP request to an exposed application endpoint, injecting malicious SQL queries into the backend database. Successful exploitation does not require prior authentication and allows the attacker to bypass security controls to read, modify, or exfiltrate sensitive information stored in the database.

This vulnerability is rated as High severity with a CVSS score of 7.3. Exploitation could lead to significant business disruption and financial loss. The primary risk is a data breach, resulting in the compromise of confidential company data (sales figures, pricing, stock levels) and sensitive customer information (names, addresses, purchase history). Potential consequences include reputational damage, loss of customer trust, and possible regulatory fines for non-compliance with data protection standards.

Immediate Action: Apply vendor security updates immediately across all affected systems. Following the update, monitor for any signs of exploitation attempts by reviewing web server and application access logs for unusual or malicious-looking requests targeting the inventory system.

Proactive Monitoring: Implement enhanced logging and monitoring focused on web and database server activity. Security teams should look for suspicious patterns in web request logs, such as the presence of SQL keywords (SELECT, UNION, --, ' OR '1'='1') in URL parameters or POST bodies. Monitor for anomalous database queries and unusual outbound network traffic from the database server, which could indicate data exfiltration.

Compensating Controls: If patching cannot be performed immediately, deploy a Web Application Firewall (WAF) with a ruleset configured to detect and block SQL injection attacks. Additionally, ensure the application's database user account is configured with the principle of least privilege, restricting its permissions to only what is necessary for application functionality.

Public Exploit Available: false

Given the high severity of this vulnerability and the direct risk it poses to sensitive business and customer data, we strongly recommend that organizations prioritize the deployment of the vendor-provided patch as the primary remediation action. Although this CVE is not currently listed on the CISA KEV list, its critical nature makes it a likely target for future exploitation. Immediate patching and proactive monitoring are essential to prevent a potentially damaging data breach.