CVE-2022-25228

Name of the Vulnerable Software and Affected Versions CandidATS version 3.0.0 Beta

Description The issue allows an authenticated user to inject SQL queries through specific API endpoints, including '/index.php?m=settings&a=show' via the userID parameter, '/index.php?m=candidates&a=show' via the candidateID parameter, '/index.php?m=joborders&a=show' via the jobOrderID parameter, and '/index.php?m=companies&a=show' via the companyID parameter.

Recommendations As a temporary workaround, consider restricting access to the vulnerable API endpoints '/index.php?m=settings&a=show', '/index.php?m=candidates&a=show', '/index.php?m=joborders&a=show', and '/index.php?m=companies&a=show' until a patch is available. Avoid using the parameters userID, candidateID, jobOrderID, and companyID in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.