CandidATS 3.0.0 - Stored XSS to Account Takeover

Summary

NameCandidATS 3.0.0 - Stored XSS to Account Takeover
Code nameCastles
ProductCandidATS
Affected versionsVersion 3.0.0
StatePublic
Release date2022-10-27

Vulnerability

KindStored cross-site scripting (XSS)
Rule083. Stored cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSSv3 Base Score8.8
Exploit availableYes
CVE ID(s)CVE-2022-42750

Description

CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.

Vulnerability

The Stored XSS present in CandidATS 3.0.0 allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to force a user to upload a malicious file and wait for them to view the file.

Exploitation

In this attack we will obtain the administrator user account, through a malicious link.

candidats-xssStored

exploit.png

Our security policy

We have reserved the CVE-2022-42750 to refer to these issues from now on.

System Information

  • Version: CandidATS 3.0.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://candidats.net/

Timeline

Time-lapse-logo

2022-10-07

Vulnerability discovered.

Time-lapse-logo

2022-10-07

Vendor contacted.

Time-lapse-logo

2022-10-07

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-27

Public Disclosure.