CVE-2022-42747

Name of the Vulnerable Software and Affected Versions CandidATS version 3.0.0

Description The issue allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not properly validate user input against XSS attacks, specifically on the sortBy parameter of the "ajax.php" resource.

Recommendations For CandidATS version 3.0.0, consider disabling the ajax.php resource or restricting access to it until a patch is available. As a temporary workaround, restrict the use of the sortBy parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.