CVE-2022-42746 The 3.0.0 version of the CandidATS API allows an attacker to steal cookies of arbitrary users.

Impact Low - The application may be abused for phishing attempts or for obtaining sensitive information about the user. - The application may be abused for phishing attempts or for obtaining sensitive information about the user. - An external attacker may be able to steal the cookie of arbitrary users by injecting a malicious request. Fix - Users should not input any sensitive data when submitting data through a POST request. - Users should avoid using the same password across different services and applications. - Users should not input any sensitive data when submitting data through a POST request. - Users should avoid using the same password across different services and applications. - An application should perform input validation when accepting user input. - An application should perform input validation when accepting user input. - An application should avoid allowing unauthenticated requests. - An application should avoid allowing unauthenticated requests. - An application should not allow data to be POSTed through unauthenticated requests. - An application should not allow data to be POSTed through unauthenticated requests. - An application should not store user data in session. - An application should not store user data in session. - An application should not store user data inajax. - An application should not store user data inajax. - An application should not allow session data to be stored inajax.

Summary

The application may be abused for phishing attempts or for obtaining sensitive information about the user.
An external attacker may be able to steal the cookie of arbitrary users by injecting a malicious request.
An application should perform input validation when accepting user input.
An application should avoid allowing unauthenticated requests.
An application should not allow data to be POSTed through unauthenticated requests.

Description

CVE-2022-42746 is a vulnerability in the application that allows an external attacker to steal the cookie of arbitrary users by injecting a malicious request.
The vulnerability arises when the application performs input validation when accepting user input. The vulnerability has two potential attack vectors, both of which are reflected in the CVSS score. An attacker can either inject a malicious request with invalid user information and then submit it to the application, or they can exploit session fixation to steal sensitive information about other users.
Users should not input any sensitive data when submitting data through a POST request, and should avoid using the same password across different services and applications.  They should also perform input validation after receiving user input and prevent session fixation.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 12/05/2022 15:15:00 UTC

References

• https://candidats.net/
• https://fluidattacks.com/advisories/modestep/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42746