CVE-2022-25228 Information

Description

CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in ‘/index.php?m=settings&a=show’ via the ‘userID’ parameter in ‘/index.php?m=candidates&a=show’ via the ‘candidateID’ in ‘/index.php?m=joborders&a=show’ via the ‘jobOrderID’ and ‘/index.php?m=companies&a=show’ via the ‘companyID’ parameter

Reference

https://candidats.net/forums/ https://fluidattacks.com/advisories/jackson/