Candidats

candidats

Vendor: Auieo • 9 CVEs

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-42749 1Auieo 1Candidats Jun 17, 2026 Nov 3, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input...Show more CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. Show less
CVE-2022-42748 1Auieo 1Candidats Jun 17, 2026 Nov 3, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate u...Show more CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. Show less
CVE-2022-42747 1Auieo 1Candidats Jun 17, 2026 Nov 3, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user inp...Show more CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. Show less
CVE-2022-42746 1Auieo 1Candidats Jun 17, 2026 Nov 3, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user...Show more CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks. Show less
CVE-2022-42744 1Auieo 1Candidats Jun 17, 2026 Nov 3, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi...Show more CandidATS version 3.0.0 allows an external attacker to perform CRUD operations on the application databases. This is possible because the application does not correctly validate the entriesPerPage parameter against SQLi attacks.Show less
CVE-2022-42751 1Auieo 1Candidats Jun 17, 2026 Nov 3, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account w...Show more CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.Show less
CVE-2022-42750 1Auieo 1Candidats Jun 17, 2026 Nov 3, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.
CVE-2022-25228 1Auieo 1Candidats Jun 17, 2026 Aug 18, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=jo...Show more CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameterShow less
CVE-2020-9341 1Auieo 1Candidats Jun 17, 2026 Feb 22, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.