CVE-2022-42749

Vulnerability

CandidATS version 3.0.0 contains a reflected cross-site scripting (XSS) vulnerability in the page parameter of the ajax.php resource. The application fails to properly validate and sanitize user input before reflecting it in the response, allowing an attacker to inject arbitrary JavaScript. This vulnerability is reachable without authentication and affects the page parameter specifically (CVE-2022-42749) [2].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the page parameter and tricking an authenticated user (e.g., an administrator) into clicking it. For example, the attacker can append a payload such as page=0&indexFile=... to the ajax.php endpoint. When the victim's browser loads the crafted URL, the injected script executes in the context of the CandidATS session, sending the victim's session cookie to an attacker-controlled server [2].

Impact

Successful exploitation allows the attacker to steal the session cookie of the victim user. With the stolen cookie, the attacker can impersonate the victim and gain full access to their account, including any administrative privileges. This leads to a complete account takeover, compromising the confidentiality, integrity, and availability of the application and its data [2].

Mitigation

As of the public disclosure date (October 26, 2022), no official patch or fixed version has been released by the vendor. The advisory notes that the vendor was contacted but did not provide a fix. Users are advised to apply input validation and output encoding on the page parameter as a workaround, or consider upgrading to a patched version if one becomes available. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [2].