Multiple XSS in CandidATS leads to account takeover
|Name||Multiple XSS in CandidATS leads to account takeover|
|Affected versions||Version 3.0.0|
|Kind||Reflected cross-site scripting (XSS)|
|Rule||008. Reflected cross-site scripting (XSS)|
|CVSSv3 Base Score||8.8|
|CVE ID(s)||CVE-2022-42746, CVE-2022-42747, CVE-2022-42748, CVE-2022-42749|
CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
The XSS present in CandidATS 3.0.0, allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an administrator in order to hack their account:
During the investigation, several parameters of the above URL were found to be vulnerable to XSS:
Different CVE-IDs were reserved for these vulnerabilities because when analyzing the source code, we realized that each of these flaws is fixed independently.
In this attack we will obtain the administrator user account, through a malicious link:
Our security policy
We have reserved the CVE-2022-42746, CVE-2022-42747, CVE-2022-42748, CVE-2022-42749 to refer to these issues from now on.
Version: CandidATS 3.0.0
Operating System: GNU/Linux
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor page https://candidats.net/
Vendor replied acknowledging the report.