CandidATS 3.0.0 - CSRF to Privilege Escalation
Summary
| Name | CandidATS 3.0.0 - CSRF to Privilege Escalation |
| Code name | |
| Product | CandidATS |
| Affected versions | Version 3.0.0 |
| State | Public |
| Release date | 2022-10-27 |
Vulnerability
| Kind | Cross-site request forgery |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 8.8 |
| Exploit available | Yes |
| CVE ID(s) |
Description
CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.
Vulnerability
The stored XSS present in CandidATS 3.0.0 allows a remote attacker to elevate privileges in the application. To trigger this vulnerability, we will need to persuade an administrator to open a malicious link.
Exploitation
In this attack we will elevate privileges in the application, through a malicious link.
Our security policy
We have reserved the CVE-2022-42751 to refer to these issues from now on.
System Information
-
Version: CandidATS 3.0.0
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://candidats.net/
Timeline
2022-10-07
Vulnerability discovered.
2022-10-07
Vendor contacted.
2022-10-07
Vendor replied acknowledging the report.
2022-10-27
Public Disclosure.
