Lucene search

K
cveFluid AttacksCVE-2022-42746
HistoryNov 03, 2022 - 8:15 p.m.

CVE-2022-42746

2022-11-0320:15:32
CWE-79
Fluid Attacks
web.nvd.nist.gov
30
6
candidats
cve-2022-42746
xss
cookie theft
security vulnerability

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

40.8%

CandidATS version 3.0.0 on ‘indexFile’ of the ‘ajax.php’ resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.

Affected configurations

Nvd
Node
auieocandidatsMatch3.0.0-
VendorProductVersionCPE
auieocandidats3.0.0cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "CandidATS",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "3.0.0"
      }
    ]
  }
]

Social References

More

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

40.8%

Related for CVE-2022-42746