PT-2022-26541 · Candidats · Candidats
Carlos Bello
·
Published
2022-11-03
·
Updated
2022-11-04
·
CVE-2022-42750
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
CandidATS version 3.0.0
Description
The issue allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.
Recommendations
For CandidATS version 3.0.0, update the application to a version that correctly validates user-uploaded files to prevent cookie theft. As a temporary workaround, consider restricting file uploads or implementing additional validation mechanisms to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Candidats