CVE-2022-42748

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in CandidATS version 3.0.0 within the ajax.php resource. The application does not properly validate user input supplied via the sortDirection parameter before reflecting it in the HTTP response. An unauthenticated attacker can craft a malicious URL containing JavaScript payloads in this parameter [2].

Exploitation

An attacker can exploit this vulnerability by convincing an authenticated administrator to click a crafted link. No special network position or prior authentication is required. The proof-of-concept URL targets the endpoint /ajax.php?f=getPipelineJobOrder&sortDirection=desc%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E. When the victim loads this URL, the injected script executes in the context of the vulnerable page [2].

Impact

Successful exploitation allows an external attacker to steal the HTTP cookies of arbitrary users, including session cookies. By hijacking the administrator's session, the attacker can perform an account takeover, gaining full access to the CandidATS application with the privileges of the victim user [1][2].

Mitigation

As of the publication date (2022-11-03), no patch is available for this vulnerability. The advisory from Fluid Attacks states that the vendor was contacted but a fix has not been released. Users are advised to apply web application firewall (WAF) rules or other input validation controls to mitigate the risk until an official patch is provided [2].