cbcvebase.

Auieo Candidats vulnerabilities

9 known vulnerabilities affecting auieo/candidats.

Total CVEs
9
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2022-42746P3MEDIUMCVSS 6.1PoCv3.0.02022-11-03
CVE-2022-42746 [MEDIUM] CWE-79 CVE-2022-42746: CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to st CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
nvd
CVE-2022-42747P3MEDIUMCVSS 6.1PoCv3.0.02022-11-03
CVE-2022-42747 [MEDIUM] CWE-79 CVE-2022-42747: CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
nvd
CVE-2022-42748P3MEDIUMCVSS 6.1PoCv3.0.02022-11-03
CVE-2022-42748 [MEDIUM] CWE-79 CVE-2022-42748: CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker t CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
nvd
CVE-2022-42749P3MEDIUMCVSS 6.1PoCv3.0.02022-11-03
CVE-2022-42749 [MEDIUM] CWE-79 CVE-2022-42749: CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal t CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
nvd
CVE-2022-42744P3CRITICALCVSS 9.8v3.0.02022-11-03
CVE-2022-42744 [CRITICAL] CWE-89 CVE-2022-42744: CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application da CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.
nvd
CVE-2022-42750P3HIGHCVSS 8.8v3.0.02022-11-03
CVE-2022-42750 [HIGH] CWE-79 CVE-2022-42750: CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.
nvd
CVE-2022-42751P3HIGHCVSS 8.8v3.0.02022-11-03
CVE-2022-42751 [HIGH] CWE-352 CVE-2022-42751: CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This i CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.
nvd
CVE-2020-9341P3HIGHCVSS 8.8v2.1.02020-02-22
CVE-2020-9341 [HIGH] CWE-352 CVE-2020-9341: CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the i CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.
nvd
CVE-2022-25228P3MEDIUMCVSS 6.5v3.0.0v3.0.0 Beta (Pilava Beta)2022-08-18
CVE-2022-25228 [MEDIUM] CWE-89 CVE-2022-25228: CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=set CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameter
nvd
Auieo Candidats vulnerabilities | cvebase