Description
Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.
References (3)
Core 3
Core References
Various Sources
https://schemasecurity.co/private-elections.pdf
Various Sources
https://www.electionservicesco.com/pages/services_internet.php
Various Sources
https://www.youtube.com/watch?v=yeG1xZkHc64
Scores
CVSS v3
10.0
EPSS
0.0105
EPSS Percentile
60.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (1)
electionservicesco/internet_election_service
Published
Oct 10, 2023
Tracked Since
Feb 18, 2026