CVE-2022-42751

Vulnerability

CandidATS version 3.0.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application fails to implement proper anti-CSRF tokens, allowing an external attacker to craft malicious requests that, when triggered by an authenticated administrator, can perform actions on their behalf. This vulnerability is specifically exploitable to create a new account with administrative permissions. The affected version is 3.0.0, as identified in the advisory [1].

Exploitation

To exploit this vulnerability, an attacker must persuade an authenticated administrator to open a malicious link (e.g., via email or social engineering). The attacker can craft a CSRF request that, when the administrator is logged into CandidATS, creates a new user account with administrative privileges. No authentication or special network access is required for the attacker beyond the ability to deliver a crafted link; the administrator is the one performing the action unintentionally [1].

Impact

Successful exploitation allows the attacker to gain elevated privileges within the application by having an administrator create an account with administrative rights. This leads to full compromise of the CandidATS installation, including unauthorized access to sensitive applicant data, system configuration, and potential further exploitation of the server [1].

Mitigation

As of the advisory publication date (November 2, 2022), no patch or official fix is available for CandidATS 3.0.0. The vendor was contacted on October 7, 2022, but no mitigation has been released. Users are advised to be cautious of administrative actions and consider implementing additional protections such as custom middleware or disabling creation of admin accounts via untrusted links [1].