CVE-2025-10617 is a SQL Injection vulnerability identified in SourceCodester Online Polling System version 1.0, specifically within the /admin/positions.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and no privileges or user interaction needed (PR:L, UI:N). The impact on confidentiality, integrity, and availability is limited (VC:L, VI:L, VA:L), suggesting partial compromise potential rather than full system takeover. Although no public exploits are currently known in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been published yet. Given the nature of the product—an online polling system—successful exploitation could allow attackers to manipulate poll data, extract sensitive information, or disrupt polling operations, undermining trust and data integrity.

For European organizations using SourceCodester Online Polling System 1.0, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to polling data, manipulation of poll results, or leakage of sensitive voter information, potentially affecting the integrity and confidentiality of polling processes. This could have reputational consequences, especially for organizations conducting public opinion surveys, elections, or internal decision-making polls. Additionally, disruption of polling services could impact availability, causing operational delays. Given the remote exploitability without user interaction, attackers could automate attacks at scale, targeting multiple organizations. However, the limited scope of impact and absence of privilege escalation reduces the likelihood of full system compromise. Organizations relying on this software for critical or public-facing polling should be particularly cautious, as manipulated poll results could influence public perception or decision-making.

Since no official patches are available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the /admin/positions.php endpoint via network-level controls such as IP whitelisting or VPN access to limit exposure; 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter; 3) Conducting thorough input validation and sanitization on all user-supplied parameters if source code access and modification are possible; 4) Monitoring logs for suspicious activity related to SQL injection attempts; 5) Considering temporary replacement or disabling of the vulnerable functionality if feasible; 6) Planning for an upgrade or migration to a patched or alternative polling system once available; 7) Educating administrators about the risks and signs of exploitation to enable rapid incident response.