Auieo

Candidats

9 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2022-42744

Exploit
  • EPSS 0.94%
  • Veröffentlicht 03.11.2022 20:15:32
  • Zuletzt bearbeitet 05.05.2025 13:15:47

CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.

6.1

CVE-2022-42746

Exploit
  • EPSS 3.41%
  • Veröffentlicht 03.11.2022 20:15:32
  • Zuletzt bearbeitet 05.05.2025 14:15:25

CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

6.1

CVE-2022-42747

Exploit
  • EPSS 3.12%
  • Veröffentlicht 03.11.2022 20:15:32
  • Zuletzt bearbeitet 05.05.2025 14:15:25

CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

6.1

CVE-2022-42748

Exploit
  • EPSS 2.71%
  • Veröffentlicht 03.11.2022 20:15:32
  • Zuletzt bearbeitet 05.05.2025 14:15:26

CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks....

6.1

CVE-2022-42749

Exploit
  • EPSS 2.71%
  • Veröffentlicht 03.11.2022 20:15:32
  • Zuletzt bearbeitet 05.05.2025 14:15:26

CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

8.8

CVE-2022-42751

Exploit
  • EPSS 0.12%
  • Veröffentlicht 03.11.2022 18:15:17
  • Zuletzt bearbeitet 05.05.2025 14:15:26

CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions...

8.8

CVE-2022-42750

Exploit
  • EPSS 0.9%
  • Veröffentlicht 03.11.2022 18:15:16
  • Zuletzt bearbeitet 05.05.2025 14:15:26

CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.

6.5

CVE-2022-25228

Exploit
  • EPSS 0.56%
  • Veröffentlicht 18.08.2022 20:15:10
  • Zuletzt bearbeitet 21.11.2024 06:51:50

CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOr...

8.8

CVE-2020-9341

Exploit
  • EPSS 0.41%
  • Veröffentlicht 22.02.2020 22:15:11
  • Zuletzt bearbeitet 21.11.2024 05:40:26

CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.