CVE-2022-25228

Severity CVSS v4.0:

Pending analysis

Type:

CWE-89 SQL Injection

Publication date:

18/08/2022

Last modified:

19/08/2022

Description

CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in &#39;/index.php?m=settings&a=show&#39; via the &#39;userID&#39; parameter, in &#39;/index.php?m=candidates&a=show&#39; via the &#39;candidateID&#39;, in &#39;/index.php?m=joborders&a=show&#39; via the &#39;jobOrderID&#39; and &#39;/index.php?m=companies&a=show&#39; via the &#39;companyID&#39; parameter

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.50 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None