Local File Read in CandidATS 3.0.0 via XXE

Summary

NameLocal File Read in CandidATS 3.0.0 via XXE
Code nameJ.Cole
ProductCandidATS
Affected versionsVersion 3.0.0
StatePublic
Release date2022-10-27

Vulnerability

KindXML injection (XXE)
Rule083. XML injection (XXE)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSSv3 Base Score6.5
Exploit availableYes
CVE ID(s)CVE-2022-42745

Description

CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.

Vulnerability

The XXE present in CandidATS 3.0.0, allows an unauthenticated remote attacker to read arbitrary files from the server. To trigger this vulnerability, we will need to upload a malicious DOCX to the server.

Exploitation

In this attack we will be able to read arbitrary files from the server, through an XXE.

LFR-viaXXE-candidats

exploit.png

Our security policy

We have reserved the CVE-2022-42745 to refer to these issues from now on.

System Information

  • Version: CandidATS 3.0.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://candidats.net/

Timeline

Time-lapse-logo

2022-10-11

Vulnerability discovered.

Time-lapse-logo

2022-10-11

Vendor contacted.

Time-lapse-logo

2022-10-11

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-27

Public Disclosure.