Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up
na/

CandidATS

2 Versions 9 CVEs

Versions

3.0.0

SEMANTIC 8 CVEs

3.0.0 Beta (Pilava Beta)

BETA 1 CVE

Recent CVEs

CVE-2022-42747

CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

UNKNOWN Nov 03, 2022

CVE-2022-42748

CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

UNKNOWN Nov 03, 2022

CVE-2022-42744

CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.

UNKNOWN Nov 03, 2022

CVE-2022-42749

CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

UNKNOWN Nov 03, 2022

CVE-2022-42745

CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.

UNKNOWN Nov 03, 2022

CVE-2022-42746

CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

UNKNOWN Nov 03, 2022

CVE-2022-42750

CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.

UNKNOWN Nov 03, 2022

CVE-2022-42751

CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.

UNKNOWN Nov 03, 2022

CVE-2022-25228

CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameter

UNKNOWN Aug 18, 2022