CVE-2022-42746

Vulnerability

CandidATS version 3.0.0 contains a reflected cross-site scripting (XSS) vulnerability in the indexFile parameter of the ajax.php resource. The application does not properly validate user input before reflecting it in the response, allowing an attacker to inject arbitrary JavaScript. This issue is tracked as CVE-2022-42746, and related XSS vulnerabilities exist in other parameters (sortBy, sortDirection, page) [1][2].

Exploitation

An unauthenticated remote attacker can craft a malicious URL containing JavaScript in the indexFile parameter. The proof-of-concept link is:

https://demo.candidats.net/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php%27);%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E%3C!--&isPopup=0

To trigger the exploit, the attacker must lure a logged-in administrator into clicking the malicious link. The injected script executes in the victim's browser session, allowing cookie theft [2].

Impact

Successful exploitation enables an attacker to steal the session cookie of an authenticated administrator. With the stolen cookie, the attacker can impersonate the administrator and perform an account takeover, potentially gaining full control over the CandidATS instance and its data. The CVSS v3.1 score is 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability [2].

Mitigation

As of the public disclosure date (October 26, 2022), no patch was available for this vulnerability. Administrators are advised to apply input validation and output encoding to the affected indexFile parameter in ajax.php, or implement a web application firewall (WAF) rule to block malicious payloads. CandidATS 3.0.0 is the only affected version mentioned in the references [2].