This vulnerability in Tribulant Gallery Voting (<= 1.2.1) combines CSRF and Stored XSS issues. The CSRF flaw allows attackers to trick authenticated users into submitting unauthorized requests, potentially altering voting data or application state. The Stored XSS component means malicious scripts can be persistently stored in the application, potentially impacting users who view the affected content. The CVSS 3.1 vector indicates the attack can be performed remotely without privileges, requires user interaction, and affects confidentiality, integrity, and availability at a low to moderate level. No patch or official fix is currently documented.

Successful exploitation could allow attackers to perform unauthorized actions on behalf of authenticated users via CSRF and inject persistent malicious scripts via Stored XSS. This can lead to data manipulation, session hijacking, or other client-side attacks impacting confidentiality, integrity, and availability of the affected system. However, no known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing CSRF protections such as anti-CSRF tokens and input sanitization to mitigate Stored XSS risks. Monitoring for updates from Tribulant Software is recommended.