CVE-2022-42749 is a reflected cross-site scripting (XSS) vulnerability identified in CandidATS version 3.0.0, specifically affecting the 'page' parameter of the 'ajax.php' resource. This vulnerability arises because the application fails to properly validate or sanitize user input, allowing an attacker to inject malicious scripts that are then reflected back to the user's browser. When a victim accesses a crafted URL containing the malicious payload, the injected script executes in the context of the victim's browser session. This can lead to the theft of cookies, which may contain session tokens or other sensitive information, thereby enabling session hijacking or impersonation of legitimate users. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be launched remotely over the network without privileges, requires low attack complexity, no privileges, but does require user interaction (the victim must click a malicious link). The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low, with no impact on availability. No known exploits are reported in the wild, and no patches are currently linked, suggesting that mitigation may rely on configuration or custom fixes for now.

For European organizations using CandidATS 3.0.0, this vulnerability poses a risk of session hijacking through stolen cookies, potentially allowing attackers to impersonate users and access sensitive recruitment or applicant tracking data. This could lead to unauthorized disclosure of personal data, violating GDPR requirements and resulting in regulatory penalties. The reflected XSS attack requires user interaction, typically via phishing or social engineering, which means targeted attacks could be crafted against employees or partners. The compromise of user sessions could also facilitate lateral movement within the organization's network or unauthorized actions within the ATS platform. While the vulnerability does not directly impact system availability, the confidentiality and integrity risks could undermine trust in the recruitment process and damage organizational reputation. Given the medium severity and the lack of known exploits, the immediate risk is moderate but should not be underestimated, especially in sectors handling sensitive personal data such as HR, government, and large enterprises.

1. Implement strict input validation and output encoding on the 'page' parameter in 'ajax.php' to neutralize any injected scripts. Use context-aware encoding libraries to prevent XSS. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Educate users and employees about the risks of clicking on suspicious links, especially those related to recruitment or HR platforms. 4. Monitor web application logs for unusual or suspicious requests targeting the 'ajax.php' endpoint. 5. If possible, upgrade to a patched version of CandidATS once available or apply vendor-recommended fixes. 6. Use web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting known vulnerable parameters. 7. Conduct regular security assessments and penetration tests focusing on web application input validation. 8. Implement secure cookie attributes such as HttpOnly and Secure to reduce the risk of cookie theft via XSS. 9. Limit session duration and enforce multi-factor authentication (MFA) to reduce the impact of stolen session cookies.