CandidATS 3.0.0 - SQLi via entriesPerPage
8.8
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
CandidATS 3.0.0 - SQLi via entriesPerPage
Code name
State
Public
Release date
Oct 25, 2022
Affected product
CandidATS
Affected version(s)
Version 3.0.0
Vulnerability name
SQL injection
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score
8.8
Exploit available
Yes
CVE ID(s)
Description
CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.
Vulnerability
The SQLi present in CandidATS 3.0.0 allows an unauthenticated remote attacker to perform CRUD operations on the application database. To trigger this vulnerability, we will need to send a malicious SQL query in the entriesPerPage parameter.
Exploitation
In this attack we will obtain the logs containing the emails and passwords of the users. To achieve this we will need 3 things:
candidATS.req
The request of the application, we save it in a file.
SqlMap Command
By executing this command, we will obtain the records of our interest.
Dump DB
Finally we see how we managed to compromise user records.
Our security policy
We have reserved the CVE-2022-42744 to refer to this issue from now on. Disclosure policy
System Information
Version: CandidATS 3.0.0
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://candidats.net/
Timeline
Vulnerability discovered
Oct 7, 2022
Vendor Confirmed Vuln.
Oct 7, 2022
Vendor contacted
Oct 7, 2022
Vendor replied
Oct 7, 2022
Public disclosure
Oct 25, 2022
