Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Auieo Subscribe
Total 10 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-42747 1 Auieo 1 Candidats 2023-01-26 N/A 6.1 MEDIUM
CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVE-2022-42749 1 Auieo 1 Candidats 2023-01-26 N/A 6.1 MEDIUM
CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVE-2022-42748 1 Auieo 1 Candidats 2023-01-26 N/A 6.1 MEDIUM
CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVE-2022-42746 1 Auieo 1 Candidats 2023-01-26 N/A 6.1 MEDIUM
CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVE-2022-42745 1 Auieo 1 Candidats 2022-11-04 N/A 7.5 HIGH
CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.
CVE-2022-42744 1 Auieo 1 Candidats 2022-11-04 N/A 9.8 CRITICAL
CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.
CVE-2022-42751 1 Auieo 1 Candidats 2022-11-04 N/A 8.8 HIGH
CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.
CVE-2022-42750 1 Auieo 1 Candidats 2022-11-04 N/A 8.8 HIGH
CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.
CVE-2022-25228 1 Auieo 1 Candidats 2022-08-19 N/A 6.5 MEDIUM
CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameter
CVE-2020-9341 1 Auieo 1 Candidats 2020-02-24 6.8 MEDIUM 8.8 HIGH
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.