Shodan
Vulnerabilities
Vulnerable Software
Auieo:  >> Candidats  Security Vulnerabilities
CVE-2022-42744
CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-11-03
CVE-2022-42746
CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVSS Score
6.1
EPSS Score
0.06
Published
2022-11-03
CVE-2022-42747
CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVSS Score
6.1
EPSS Score
0.031
Published
2022-11-03
CVE-2022-42748
CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVSS Score
6.1
EPSS Score
0.031
Published
2022-11-03
CVE-2022-42749
CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVSS Score
6.1
EPSS Score
0.031
Published
2022-11-03
CVE-2022-42751
CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-11-03
CVE-2022-42750
CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-11-03
CVE-2022-25228
CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameter
CVSS Score
6.5
EPSS Score
0.004
Published
2022-08-18
CVE-2020-9341
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-02-22


Products
Pricing
Contact Us

Shodan ® - All rights reserved