Multiple XSS in CandidATS leads to account takeover

Summary

NameMultiple XSS in CandidATS leads to account takeover
Code nameModestep
ProductCandidATS
Affected versionsVersion 3.0.0
StatePublic
Release date2022-10-26

Vulnerability

KindReflected cross-site scripting (XSS)
Rule008. Reflected cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSSv3 Base Score8.8
Exploit availableYes
CVE ID(s)CVE-2022-42746, CVE-2022-42747, CVE-2022-42748, CVE-2022-42749

Description

CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

Vulnerability

The XSS present in CandidATS 3.0.0, allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an administrator in order to hack their account:

During the investigation, several parameters of the above URL were found to be vulnerable to XSS:

  1. indexFile (CVE-2022-42746)

  2. sortBy (CVE-2022-42747)

  3. sortDirection (CVE-2022-42748)

  4. page (CVE-2022-42749)

Different CVE-IDs were reserved for these vulnerabilities because when analyzing the source code, we realized that each of these flaws is fixed independently.

Exploitation

In this attack we will obtain the administrator user account, through a malicious link:

exploit

Our security policy

We have reserved the CVE-2022-42746, CVE-2022-42747, CVE-2022-42748, CVE-2022-42749 to refer to these issues from now on.

System Information

  • Version: CandidATS 3.0.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://candidats.net/

Timeline

Time-lapse-logo

2022-10-07

Vulnerability discovered.

Time-lapse-logo

2022-10-07

Vendor contacted.

Time-lapse-logo

2022-10-07

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-26

Public Disclosure.