Vulnerabilities (CVE)

Filtered by vendor Auieo Subscribe
Total 9 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-42751 1 Auieo 1 Candidats 2024-11-21 N/A 8.8 HIGH
CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.
CVE-2022-42750 1 Auieo 1 Candidats 2024-11-21 N/A 8.8 HIGH
CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.
CVE-2022-42749 1 Auieo 1 Candidats 2024-11-21 N/A 6.1 MEDIUM
CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVE-2022-42748 1 Auieo 1 Candidats 2024-11-21 N/A 6.1 MEDIUM
CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVE-2022-42747 1 Auieo 1 Candidats 2024-11-21 N/A 6.1 MEDIUM
CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVE-2022-42746 1 Auieo 1 Candidats 2024-11-21 N/A 6.1 MEDIUM
CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
CVE-2022-42744 1 Auieo 1 Candidats 2024-11-21 N/A 9.8 CRITICAL
CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.
CVE-2022-25228 1 Auieo 1 Candidats 2024-11-21 N/A 6.5 MEDIUM
CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameter
CVE-2020-9341 1 Auieo 1 Candidats 2024-11-21 6.8 MEDIUM 8.8 HIGH
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.