CVE-2022-42750 is a high-severity stored cross-site scripting (XSS) vulnerability affecting CandidATS version 3.0.0. This vulnerability arises because the application does not properly validate files uploaded by users, allowing an attacker to inject malicious scripts that are stored and subsequently executed in the context of other users' browsers. Specifically, an external attacker can exploit this flaw to steal cookies from arbitrary users, which can lead to session hijacking and unauthorized access to user accounts. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, but user interaction is necessary (e.g., victim must open a malicious file or page). The scope is unchanged, meaning the vulnerability affects only the vulnerable component. Although no known exploits are currently reported in the wild, the potential for exploitation is significant given the nature of stored XSS and the ability to steal sensitive session cookies. The lack of patch links suggests that a fix may not yet be publicly available or is pending release.

For European organizations using CandidATS 3.0.0, this vulnerability poses a serious risk. CandidATS is typically used for applicant tracking and recruitment management, meaning that compromised accounts could expose sensitive personal data of job applicants and employees, violating GDPR and other data protection regulations. The ability to steal session cookies can lead to unauthorized access to administrative or user accounts, potentially allowing attackers to manipulate recruitment data, disrupt hiring processes, or exfiltrate confidential information. This could result in reputational damage, regulatory fines, and operational disruption. Additionally, if attackers leverage this vulnerability to implant further malware or pivot within the network, the impact could extend beyond the application itself. Given the remote exploitation vector and low complexity, attackers can target organizations without needing internal access, increasing the threat surface.

Organizations should immediately assess their use of CandidATS and identify any instances running version 3.0.0. In the absence of an official patch, mitigating controls include implementing strict input validation and sanitization on file uploads to prevent malicious script injection. Web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting the application. Additionally, enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. User awareness training should emphasize caution when interacting with files or links within the ATS platform. Monitoring logs for unusual activity related to file uploads or user sessions can help detect exploitation attempts. Organizations should also engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available.