Multiple XSS in CandidATS leads to account takeover

Summary


Name	Multiple XSS in CandidATS leads to account takeover
Code name	Modestep
Product	CandidATS
Affected versions	Version 3.0.0
State	Public
Release date	2022-10-26

Vulnerability


Kind	Reflected cross-site scripting (XSS)
Rule	008. Reflected cross-site scripting (XSS)
Remote	Yes
CVSSv3 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSSv3 Base Score	8.8
Exploit available	Yes
CVE ID(s)	CVE-2022-42746, CVE-2022-42747, CVE-2022-42748, CVE-2022-42749

Description

CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

Vulnerability

The XSS present in CandidATS 3.0.0, allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an administrator in order to hack their account:

https://demo.candidats.net/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php%27);%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E%3C!--&isPopup=0

During the investigation, several parameters of the above URL were found to be vulnerable to XSS:

indexFile (CVE-2022-42746)
sortBy (CVE-2022-42747)
sortDirection (CVE-2022-42748)
page (CVE-2022-42749)

Different CVE-IDs were reserved for these vulnerabilities because when analyzing the source code, we realized that each of these flaws is fixed independently.