An improper access control flaw in Johnson & Johnson Campus Recruiting allows unauthorized parties to access sensitive recruitment data, posing a significant risk of data exposure.

The application fails to properly enforce authorization checks, allowing for the unauthorized disclosure of student-provided information and private interviewer feedback. While the specific authentication requirement is not explicitly detailed, the nature of the flaw indicates a significant failure in the application's access control logic.

Successful exploitation of this vulnerability could lead to the unauthorized exposure of personally identifiable information (PII) and sensitive internal interview documentation. Given the CVSS score of 7.5, this high-severity flaw carries substantial risk regarding regulatory compliance, potential loss of candidate trust, and reputational damage to the organization's recruitment processes.

Immediate Action: Identify all instances of the Campus Recruiting software and apply the latest security updates provided by Johnson & Johnson immediately.

Proactive Monitoring: Review application access logs for unusual patterns, such as bulk data exports or access requests originating from unauthorized or unexpected user accounts.

Compensating Controls: Implement strict network-level access controls or a Web Application Firewall (WAF) to restrict traffic to the affected recruitment portal to known, authorized IP ranges.

Public Exploit Available: false

The severity of this vulnerability necessitates immediate attention to prevent the unauthorized disclosure of sensitive candidate data. Administrators must prioritize the deployment of vendor-supplied patches and conduct a thorough audit of access logs to ensure no prior unauthorized data exfiltration has occurred.