CandidATS 3.0.0 - CSRF to Privilege Escalation

Summary

NameCandidATS 3.0.0 - CSRF to Privilege Escalation
Code nameLondra
ProductCandidATS
Affected versionsVersion 3.0.0
StatePublic
Release date2022-10-27

Vulnerability

KindCross-site request forgery
Rule007. Cross-site request forgery
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSSv3 Base Score8.8
Exploit availableYes
CVE ID(s)CVE-2022-42751

Description

CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.

Vulnerability

The stored XSS present in CandidATS 3.0.0 allows a remote attacker to elevate privileges in the application. To trigger this vulnerability, we will need to persuade an administrator to open a malicious link.

Exploitation

In this attack we will elevate privileges in the application, through a malicious link.

candidATS-CSRF-Privilege-Escalation

Our security policy

We have reserved the CVE-2022-42751 to refer to these issues from now on.

System Information

  • Version: CandidATS 3.0.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://candidats.net/

Timeline

Time-lapse-logo

2022-10-07

Vulnerability discovered.

Time-lapse-logo

2022-10-07

Vendor contacted.

Time-lapse-logo

2022-10-07

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-27

Public Disclosure.