CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameter
References
Link | Resource |
---|---|
https://candidats.net/forums/ | Product Vendor Advisory |
https://fluidattacks.com/advisories/jackson/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Fluid Attacks
Published: 2022-08-18T19:29:36
Updated: 2022-08-18T19:29:36
Reserved: 2022-02-15T00:00:00
Link: CVE-2022-25228
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-08-18T20:15:10.647
Modified: 2022-08-19T20:27:46.463
Link: CVE-2022-25228
JSON object: View
Redhat Information
No data.
CWE