VYPR

CandidATS

by CandidATS

CVEs (10)

  • CVE-2022-42744CriNov 3, 2022
    risk 0.64cvss 9.8epss 0.01

    CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.

  • CVE-2022-42751HigNov 3, 2022
    risk 0.57cvss 8.8epss 0.00

    CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.

  • CVE-2022-42750HigNov 3, 2022
    risk 0.57cvss 8.8epss 0.01

    CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.

  • CVE-2020-9341HigFeb 22, 2020
    risk 0.57cvss 8.8epss 0.01

    CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.

  • CVE-2022-42745HigNov 3, 2022
    risk 0.49cvss 7.5epss 0.01

    CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.

  • CVE-2022-25228MedAug 18, 2022
    risk 0.42cvss 6.5epss 0.01

    CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and…

  • CVE-2022-42749MedNov 3, 2022
    risk 0.40cvss 6.1epss 0.01

    CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

  • CVE-2022-42748MedNov 3, 2022
    risk 0.40cvss 6.1epss 0.01

    CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

  • CVE-2022-42747MedNov 3, 2022
    risk 0.40cvss 6.1epss 0.01

    CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

  • CVE-2022-42746MedNov 3, 2022
    risk 0.40cvss 6.1epss 0.01

    CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.